From 24b36b4a2cf3055086efdb7e2b51f7bf1ffac3da Mon Sep 17 00:00:00 2001 From: Jared Ondricek Date: Tue, 31 Oct 2023 08:47:50 -0500 Subject: [PATCH] ATT&CK v14.0 ICS --- ...-008b8f56-6107-48be-aa9f-746f927dbb61.json | 30 +- ...-063b5b92-5361-481a-9c3f-95492ed9a2d8.json | 41 +- ...-097924ce-a9a9-4039-8591-e0deedfb8722.json | 17 +- ...-09a61657-46e1-439e-b3ed-3e4556a78243.json | 12 +- ...-0fe075d5-beac-4d02-b93e-0f874997db72.json | 4 +- ...-138979ba-0430-4de6-a128-2fc0b056ba36.json | 7 +- ...-19a71d1e-6334-4233-8260-b749cae37953.json | 25 +- ...-1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json | 4 +- ...-1b22b676-9347-4c55-9a35-ef0dc653db5b.json | 19 +- ...-1c478716-71d9-46a4-9a53-fa5d576adb60.json | 26 +- ...-23270e54-1d68-4c3b-b763-b25607bcef80.json | 2 +- ...-24a9253e-8948-4c98-b751-8e2aee53127c.json | 14 +- ...-25852363-5968-4673-b81d-341d5ed90bd1.json | 8 +- ...-25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json | 26 +- ...-2736b752-4ec5-4421-a230-8977dea7649c.json | 17 +- ...-2877063e-1851-48d2-bcc6-bc1d2733157e.json | 16 +- ...-2883c520-7957-46ca-89bd-dab1ad53b601.json | 9 +- ...-2900bbd8-308a-4274-b074-5b8bde8347bc.json | 20 +- ...-2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json | 6 +- ...-2bb4d762-bf4a-4bc3-9318-15cc6a354163.json | 4 +- ...-2d0d40ad-22fa-4cc8-b264-072557e1364b.json | 10 +- ...-2dc2b567-8821-49f9-9045-8740f3d0b958.json | 12 +- ...-2fedbe69-581f-447d-8a78-32ee7db939a9.json | 19 +- ...-3067b85e-271e-4bc5-81ad-ab1a81d411e3.json | 11 +- ...-32632a95-6856-47b9-9ab7-fea5cd7dce00.json | 6 +- ...-3405891b-16aa-4bd7-bd7c-733501f9b20f.json | 16 +- ...-35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json | 18 +- ...-36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json | 20 +- ...-38213338-1aab-479d-949b-c81b66ccca5c.json | 10 +- ...-3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json | 6 +- ...-3de230d4-3e42-4041-b089-17e1128feded.json | 14 +- ...-3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json | 26 +- ...-40b300ba-f553-48bf-862e-9471b220d455.json | 18 +- ...-493832d9-cea6-4b63-abe7-9a65a6473675.json | 38 +- ...-4c2e1408-9d68-4187-8e6b-a77bc52700ec.json | 8 +- ...-50d3222f-7550-4a3c-94e1-78cb6c81d064.json | 2 +- ...-539d0484-fe95-485a-b654-86991c0d0d00.json | 2 +- ...-53a26eee-1080-4d17-9762-2027d5a1b805.json | 15 +- ...-53a48c74-0025-45f4-b04a-baa853df8204.json | 6 +- ...-56ddc820-6cfb-407f-850b-52c035d123ac.json | 10 +- ...-5a2610f6-9fff-41e1-bc27-575ca20383d4.json | 6 +- ...-5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json | 11 +- ...-5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json | 2 +- ...-5fa00fdd-4a55-4191-94a0-564181d7fec2.json | 4 +- ...-63b6942d-8359-4506-bfb3-cf87aa8120ee.json | 4 +- ...-648f995e-9c3a-41e4-aeee-98bb41037426.json | 15 +- ...-7374ab87-0782-41f8-b415-678c0950bb2a.json | 2 +- ...-7830cfcf-b268-4ac0-a69e-73c6affbae9a.json | 10 +- ...-83ebd22f-b401-4d59-8219-2294172cf916.json | 10 +- ...-8535b71e-3c12-4258-a4ab-40257a1becc4.json | 18 +- ...-85a45294-08f1-4539-bf00-7da08aa7b0ee.json | 8 +- ...-8bb4538f-f16f-49f0-a431-70b5444c7349.json | 14 +- ...-8d2f3bab-507c-4424-b58b-edc977bd215c.json | 17 +- ...-8e7089d3-fba2-44f8-94a8-9a79c53920c4.json | 15 +- ...-94f042ae-3033-4a8d-9ec3-26396533a541.json | 2 +- ...-9a505987-ab05-4f46-a9a6-6441442eec3b.json | 16 +- ...-9f947a1c-3860-48a8-8af0-a2dfa3efde03.json | 7 +- ...-a81696ef-c106-482c-8f80-59c30f2569fb.json | 4 +- ...-a8cfd474-9358-464f-a169-9c6f099a8e8a.json | 2 +- ...-ab390887-afc0-4715-826d-b1b167d522ae.json | 16 +- ...-abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json | 2 +- ...-ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json | 2 +- ...-b0628bfc-5376-4a38-9182-f324501cb4cf.json | 12 +- ...-b14395bd-5419-4ef4-9bd8-696936f509bb.json | 20 +- ...-b52870cc-83f3-473c-b895-72d91751030b.json | 11 +- ...-b5b9bacb-97f2-4249-b804-47fd44de1f95.json | 4 +- ...-b7e13ee8-182c-4f19-92a4-a88d7d855d54.json | 4 +- ...-b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json | 10 +- ...-ba203963-3182-41ac-af14-7e7ebc83cd61.json | 15 +- ...-be69c571-d746-4b1f-bdd0-c0c9817e9068.json | 11 +- ...-c267bbee-bb59-47fe-85e0-3ed210337c21.json | 12 +- ...-c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json | 6 +- ...-c9a8d958-fcdb-40d2-af4c-461c8031651a.json | 11 +- ...-cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json | 16 +- ...-cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json | 21 +- ...-d5a69cfb-fc2a-46cb-99eb-74b236db5061.json | 14 +- ...-d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json | 2 +- ...-d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json | 8 +- ...-e076cca8-2f08-45c9-aff7-ea5ac798b387.json | 13 +- ...-e0d74479-86d2-465d-bf36-903ebecef43e.json | 2 +- ...-e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json | 14 +- ...-e2994b6a-122b-4043-b654-7411c5198ec0.json | 2 +- ...-e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json | 10 +- ...-e5de767e-f513-41cd-aa15-33f6ce5fbf92.json | 20 +- ...-e6c31185-8040-4267-83d3-b217b8a92f07.json | 14 +- ...-e72425f8-9ae6-41d3-bfdb-e1b865e60722.json | 13 +- ...-ea0c980c-5cf0-43a7-a049-59c4c207566e.json | 6 +- ...-ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json | 20 +- ...-efbf7888-f61b-4572-9c80-7e2965c60707.json | 11 +- ...-f8df6b57-14bc-425f-9a91-6f59f6799307.json | 15 +- ...-fa3aa267-da22-4bdd-961f-03223322a8d5.json | 23 +- ...-fab8fc7d-f27f-4fbb-9de6-44740aade05f.json | 16 +- ...-fc5fda7e-6b2c-4457-b036-759896a2efa2.json | 18 +- ...-46421788-b6e1-4256-b351-f8beffd1afba.json | 47 + ...-65281d3e-b03c-46b8-8cd8-716363ac3cb2.json | 8 +- ...-70cab19e-1745-425e-b3db-c02cd5ff157a.json | 2 +- ...-aa73efef-1418-4dbe-b43c-87a498e97234.json | 2 +- ...-059ba11e-e3dc-49aa-84ca-88197f40d4ea.json | 14 +- ...-11f242bc-3121-438c-84b2-5cbd46a4bb17.json | 14 +- ...-143b4398-3222-480a-b6a4-e131bc2d3144.json | 14 +- ...-1cbcceef-3233-4062-aa86-ec91afe39517.json | 8 +- ...-1e7ccfc0-94c8-496e-8d27-032120892291.json | 24 +- ...-2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json | 6 +- ...-2f0160b7-e982-49d7-9612-f19b810f1722.json | 2 +- ...-3172222b-4983-43f7-8983-753ded4f13bc.json | 14 +- ...-3222a807-521b-4a1a-aa13-f1cda45734b3.json | 14 +- ...-337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json | 2 +- ...-3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json | 24 +- ...-469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json | 2 +- ...-49363b74-d506-4342-bd63-320586ebadb9.json | 14 +- ...-49b306c1-a046-42c5-a4d2-30f264ada110.json | 14 +- ...-4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json | 14 +- ...-52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json | 6 +- ...-5d97c693-e054-48ba-a3a3-eaf6942dfb65.json | 14 +- ...-622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json | 14 +- ...-66cfe23e-34b6-4583-b178-ed6a412db2b0.json | 14 +- ...-6a02e38a-9629-40c0-8c7d-e98e3470315c.json | 2 +- ...-71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json | 14 +- ...-72e46e53-e12d-4106-9c70-33241b6ed549.json | 14 +- ...-7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json | 14 +- ...-86b455f2-fb63-4043-93a8-32a3a7703a02.json | 14 +- ...-8a3aadd0-b5f4-433a-800e-4893e4196bb7.json | 13 +- ...-8ac1d6e1-b07f-476a-9732-84984ebc2405.json | 14 +- ...-8bc4a54e-810c-4600-8b6c-08fa8413a401.json | 2 +- ...-97f33c84-8508-45b9-8a1d-cac921828c9e.json | 14 +- ...-98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json | 2 +- ...-99c746d7-a08a-4169-94f9-b8c0dad716fa.json | 2 +- ...-9a945a29-5233-4422-a9e3-3e957b0e8bce.json | 14 +- ...-9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json | 14 +- ...-9f99fcfd-772e-4e63-9d39-e45612e546dc.json | 14 +- ...-aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json | 12 +- ...-ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json | 15 +- ...-ad12819e-3211-4291-b360-069f280cff0a.json | 14 +- ...-b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json | 24 +- ...-bcf91ebc-f316-4e19-b2f6-444e9940c697.json | 15 +- ...-c7257b6e-4159-4771-b1f3-2bb93adaecac.json | 14 +- ...-d0909119-2f71-4923-87db-b649881672d7.json | 14 +- ...-d48b79b2-076d-483e-949c-0d38aa347499.json | 2 +- ...-da44255d-85c5-492c-baf3-ee823d44f848.json | 2 +- ...-dc61c280-c29d-44e5-a960-c0dd1623d2ba.json | 14 +- ...-ddf3e568-f065-49e2-9106-42029a28ddbd.json | 14 +- ...-de0bc375-50e1-4e26-a342-a8ff8c9d3037.json | 14 +- ...-e0d38502-decb-481d-ad8b-b8f0a0c330bd.json | 26 +- ...-e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json | 14 +- ...-f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json | 14 +- ...-f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json | 14 +- ...-facb8840-ebe7-49f1-b464-8ef6c8131e21.json | 14 +- ...-faf2b40e-5981-433f-aa46-17458e0026f7.json | 15 +- ...-fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json | 14 +- ics-attack/ics-attack.json | 46095 ++++++++++------ ...-c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json | 2 +- ...-00f67a77-86a4-4adf-be26-1a54fc713340.json | 2 +- ...-190242d7-73fc-4738-af68-20162f7a5aae.json | 2 +- ...-1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json | 8 +- ...-2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json | 2 +- ...-3753cc21-2dae-4dfb-8481-d004e74502cc.json | 15 +- ...-381fcf73-60f6-4ab2-9991-6af3cbc35192.json | 10 +- ...-4ca1929c-7d64-4aab-b849-badbfc0c760d.json | 2 +- ...-68ba94ab-78b8-43e7-83e2-aed3466882c6.json | 2 +- ...-76d59913-1d24-4992-a8ac-05a3eb093f71.json | 6 +- ...-9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json | 6 +- ...-c77c5576-ca19-42ed-a36f-4b4486a84133.json | 2 +- ...-c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json | 2 +- ...-dd2d9ca6-505b-4860-a604-233685b802c7.json | 45 +- ...-f29b7c5e-2439-42ad-a86f-9f8984fafae3.json | 2 +- ...-fbd29c89-18ba-4c2d-b792-51c0adee049f.json | 6 +- ...-00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json | 2 +- ...-083bb47b-02c8-4423-81a2-f9ef58572974.json | 2 +- ...-088f1d6e-0783-47c6-9923-9c79b2af43d4.json | 2 +- ...-1d8dccb3-e779-4702-aeb1-6627a22cc585.json | 2 +- ...-242622ca-3903-43d5-8aa0-3bbdaa3020ec.json | 2 +- ...-2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json | 2 +- ...-496bff4d-0700-4b28-b06f-f30a63002be7.json | 2 +- ...-49c04994-1035-4b58-89b7-cf8956e3b423.json | 2 +- ...-4dcff507-5af8-47ce-964a-8d9569e9ccfe.json | 2 +- ...-54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json | 8 +- ...-5719af9d-6b16-46f9-9b28-fb019541ddbb.json | 2 +- ...-58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json | 2 +- ...-5af7a825-2d9f-400d-931a-e00eb9e27f48.json | 8 +- ...-6108f800-10b8-4090-944e-be579f01263d.json | 2 +- ...-68dca94f-c11d-421e-9287-7c501108e18c.json | 2 +- ...-6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5.json | 2 +- ...-736a3b71-eccc-48b7-b5ed-adb2b74ca830.json | 2 +- ...-75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json | 2 +- ...-80099a91-4c86-4bea-9ccb-dac55d61960e.json | 2 +- ...-89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json | 2 +- ...-9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json | 2 +- ...-a020a61c-423f-4195-8c46-ba1d21abba37.json | 50 +- ...-a4a98eab-b691-45d9-8c48-869ef8fefd57.json | 2 +- ...-ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json | 2 +- ...-d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json | 2 +- ...-e221eb77-1502-4129-af1d-fe1ad55e7ec6.json | 8 +- ...-e401d4fe-f0c9-44f0-98e6-f93487678808.json | 8 +- ...-ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json | 2 +- ...-fa42a846-8d90-4e51-bc29-71d5b4802168.json | 2 +- ...-007a2c53-fc5c-4750-aff0-defb282e178a.json | 26 + ...-00b98fa6-4913-40a4-8920-befed8621c41.json | 2 +- ...-00b9e63b-57a7-408e-83d6-fc03535010a6.json | 33 + ...-00e6c22b-9275-4039-b6d4-2ac0680325d6.json | 2 +- ...-011f1d16-c9f1-48ac-94f1-165466c155f8.json | 26 + ...-012fd76f-1a10-4e48-9306-10ffae3f61dd.json | 26 + ...-01335508-22bb-4185-a7e2-49ec9bee6423.json | 26 + ...-01b4a92f-da42-4dfa-8d59-53709b65940e.json | 2 +- ...-01d002a2-696a-4e22-b227-b0b32f54eaf0.json | 26 + ...-02117d44-46d2-41f0-a5fb-ba303e6ee124.json | 26 + ...-026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50.json | 26 + ...-0278ddbc-67d5-444d-8082-bf9974dee920.json | 2 +- ...-028a3bcc-f299-4061-a0f2-8da85e0a3c81.json | 2 +- ...-02f547fd-2565-4130-a4be-c4ba7b5aeb0c.json | 26 + ...-033b4401-261f-498b-89f3-2bad9ff5907a.json | 26 + ...-03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json | 2 +- ...-03aab956-54f3-4e4b-93a7-6d1898d91b57.json | 26 + ...-03ad6a9a-4443-4e33-a7a5-933e22f2e022.json | 2 +- ...-03d44496-7a15-4e23-820f-b6f1079dbbd3.json | 2 +- ...-03e80e3c-28b9-4e7f-8b17-7c86d1483b91.json | 2 +- ...-03e94c12-cd51-4f39-a33d-c66a31bbf361.json | 26 + ...-042243fd-bfe0-4961-96de-a36232d3ff74.json | 2 +- ...-04882fef-2a6b-40d0-a101-da9c76a3572e.json | 2 +- ...-0491ef92-2941-4841-9fe6-2e1809788b52.json | 2 +- ...-04aad4a8-8b8c-45d9-bb34-508fe4792863.json | 26 + ...-04bf72de-75ba-4d95-ad24-f93ad835180c.json | 2 +- ...-04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json | 2 +- ...-052552e9-eac0-4b37-9df8-2e921053e305.json | 2 +- ...-058396ca-3af4-444b-b261-74485c47e68c.json | 2 +- ...-064dfd6f-db5d-48e8-b350-9dd47a270911.json | 2 +- ...-06782c99-93de-4db9-9c30-6f96aef894d2.json | 2 +- ...-067932c3-0011-4ca2-9bbe-721c631e4e41.json | 2 +- ...-06c663f8-fcf1-47eb-ab79-284e93eafa6b.json | 2 +- ...-06f15629-d050-434a-aed1-3bb3f90c97b2.json | 2 +- ...-06fc6ec4-7857-4f59-9bbf-df373152bcfd.json | 2 +- ...-0750563d-a86c-4822-ab9c-0f2d3c304c6e.json | 26 + ...-076bfea6-309e-4804-a147-dffe93983481.json | 26 + ...-07c0e166-f05e-413f-8f3e-f487317c9626.json | 2 +- ...-07e06d21-e666-4274-838a-ef9996fdc0cd.json | 26 + ...-07f11dc3-60d7-42d3-a4f0-82eba85dfe44.json | 26 + ...-07f4d65d-4572-450f-8cb2-908fee97bd67.json | 2 +- ...-08302021-aacf-428f-a0ce-e1034d925fb0.json | 2 +- ...-088580e9-ccea-426e-9411-c1de60de650d.json | 2 +- ...-08a4f730-bc3f-4050-973f-1ef2847db4e7.json | 2 +- ...-0951222a-42d1-4635-bb12-5285bc6500e0.json | 26 + ...-095456bc-898b-4c76-a062-ff0ea90aeab4.json | 26 + ...-096c3136-dac9-4729-98c0-c8d870f2bd13.json | 26 + ...-09977105-562f-4f45-a151-27a11a18031e.json | 2 +- ...-09e0c991-1707-431b-a0fd-fd8215e6d552.json | 26 + ...-09e9ed5d-bf32-4aee-8441-774e21ffbdb6.json | 26 + ...-09fe4b04-b1d2-492c-9b10-59b94807ccf9.json | 2 +- ...-0a421699-f013-49f4-9d9f-01d95d210510.json | 26 + ...-0a5002d3-cf0d-4e26-9fc4-8faff7f6578a.json | 26 + ...-0a5d2136-e1f5-4a54-be64-a558f918bf0d.json | 2 +- ...-0b2a6fc5-3416-4d78-96cb-f6325c91ab91.json | 26 + ...-0b2d0517-9943-413e-a6f9-30c6d5ce8c42.json | 26 + ...-0b6cd19f-ee13-4224-9e22-f8a9e626d98f.json | 26 + ...-0b7f643e-8975-4998-acbb-7405fa944a68.json | 2 +- ...-0ba1db3a-389a-4937-975b-d2dc0142cb4b.json | 26 + ...-0bc90405-24a9-4f84-a1bb-bf953dbca016.json | 26 + ...-0beb0088-3bea-4612-b2d9-ff9988f829ae.json | 2 +- ...-0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json | 2 +- ...-0c284ce0-0be2-4164-b686-7c383b246aec.json | 2 +- ...-0c4aaf6c-4b72-401f-950b-6d65ceb1267a.json | 2 +- ...-0c72593d-fcc6-4023-8771-bed5e243310e.json | 26 + ...-0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json | 2 +- ...-0cab29c6-d196-47b0-8621-10ac3c8a95d8.json | 26 + ...-0d305450-d5ca-46fe-8583-36c983dd0a88.json | 2 +- ...-0d4f2f88-e176-42c7-8258-52b345045662.json | 2 +- ...-0d52eea3-394e-492b-944b-9ccb6348329d.json | 26 + ...-0d540b53-6a5d-4f56-9dee-47707443b149.json | 2 +- ...-0d8e0324-ba8e-4712-a123-60377afe94da.json | 26 + ...-0dbf48f3-4579-4ca2-aceb-19d3e0449136.json | 26 + ...-0dca1f7d-9965-467a-bea5-b8baa7c8b9fc.json | 2 +- ...-0df0cb6d-0067-48b2-a33e-495415713ab7.json | 2 +- ...-0e263b73-a033-4fac-9d6d-076ab8f8b954.json | 26 + ...-0e275c19-7688-47f8-8cd5-85eaacec465b.json | 2 +- ...-0e29f62d-4ffc-47ec-9623-72f874fbe905.json | 2 +- ...-0e4f272b-d744-4feb-9f3f-c24c3598538f.json | 2 +- ...-0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json | 2 +- ...-0ef1e408-8ebb-4b28-b619-02914b7bae29.json | 26 + ...-0f18b876-b698-4f70-aa98-50e8b5a7eae2.json | 2 +- ...-0f5295ce-d705-4541-8dda-c569b126d103.json | 26 + ...-0f5710a7-f015-40b8-ad3d-f281699f2b72.json | 26 + ...-0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json | 2 +- ...-0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json | 2 +- ...-0ffdee1a-1e83-4506-aba2-38c55812abb3.json | 2 +- ...-104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json | 2 +- ...-10626671-941d-4a82-a835-56059058ef87.json | 2 +- ...-106530e1-375a-4ac4-befb-8297b3b05610.json | 26 + ...-107d9a23-991b-44f5-97f6-7f6983c7013a.json | 2 +- ...-10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5.json | 33 - ...-10e87e4b-a231-42e3-a011-0031f8226936.json | 2 +- ...-1110814e-81ff-4a23-9988-4b93e6f68a2b.json | 2 +- ...-111f437a-c67d-40e4-9515-7e9b22e65eff.json | 2 +- ...-11840b30-f0d1-4df5-a960-cdb80749c32a.json | 26 + ...-11a82651-4d69-4738-89c6-17d0243cbbb0.json | 26 + ...-11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3.json | 2 +- ...-11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json | 2 +- ...-128de3f9-df58-4122-9523-0ac65a6ebf71.json | 26 + ...-1299dd2d-4f42-4f5f-876b-bf7dacd17c79.json | 2 +- ...-129a4d3f-fa4a-42c3-833e-8f15155b9693.json | 2 +- ...-12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json | 2 +- ...-12d6fc4f-bf06-4146-a387-4cb86f0f44a4.json | 26 + ...-12fdacea-28f7-4113-ae67-0b19e1ab5e36.json | 26 + ...-1377fdf9-5201-4204-b6d3-df2fb5f4d02f.json | 2 +- ...-13809e98-1d74-4c39-b882-9d523c76cbde.json | 2 +- ...-139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json | 2 +- ...-13d76624-7049-45c5-94d3-8f172b7f6336.json | 33 + ...-13fb2612-7c23-4b9d-a6e1-76f78062fc52.json | 2 +- ...-1429cd78-4e2a-4898-a7d8-d01a0c465bd6.json | 26 + ...-144f6ce7-d2b2-4a76-85d2-251191a0d2cc.json | 26 + ...-147c2158-b2af-4d88-9d59-594c67a9200e.json | 2 +- ...-14c73603-a6d2-4a8d-9904-0f8249aaa495.json | 26 + ...-15188683-7ded-4578-9102-73459ecbe095.json | 2 +- ...-15377914-bf08-4c7e-ab00-1e272e2f3c1a.json | 26 + ...-154de746-5ea2-43b4-97b2-221b2433cbde.json | 2 +- ...-159fb736-ba92-4564-aa6d-db6f64497763.json | 26 + ...-15a39e3b-124e-4e68-95b5-7b8020225c12.json | 2 +- ...-16ac0172-02d1-4fda-99c0-61f1cef7dc4b.json | 26 + ...-16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4.json | 26 + ...-172e0537-7a9c-4610-9b07-32a841f0bd8d.json | 2 +- ...-1736df4d-188e-4a44-a8b3-6c6cd71dc749.json | 26 + ...-17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json | 2 +- ...-17d5794d-dcd5-4e0f-87e4-87d41c24b5fa.json | 26 + ...-17fd7ffd-63d9-4e1e-8b19-38095b2d65ab.json | 26 + ...-17fdec71-98e8-4314-a1be-037edede58bd.json | 2 +- ...-1865830b-511d-4302-99f7-6143647a8e40.json | 26 + ...-18af193c-160a-4cae-9078-4d69de5c2347.json | 26 + ...-18cdfacf-4eba-4049-b85f-d1cab5106c75.json | 26 + ...-18ef2d69-d11a-4d31-a803-da989c4073f7.json | 2 +- ...-193c3cd3-0b22-4839-a1fa-413aee61e882.json | 2 +- ...-19ab6776-42de-48af-975a-568d31a3bb66.json | 2 +- ...-19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json | 2 +- ...-19df16da-8247-45ef-be13-ba58b1fb9c1c.json | 26 + ...-19e9b914-3cb9-430c-ae02-f8e93fc2d826.json | 26 + ...-1a3ecee5-0237-4e01-8f02-90092c15a2f0.json | 26 + ...-1a40cec9-47c3-404e-b039-b7ae83ffaf68.json | 2 +- ...-1a900ac4-c150-4b57-a899-990854b01d4b.json | 26 + ...-1a96ad0d-84df-4b6b-ba4c-8559de5ec356.json | 26 + ...-1a9ca148-a456-4b66-805f-a2bdfc7a947d.json | 26 + ...-1aa02c37-973e-46bd-ab45-609463e514e9.json | 2 +- ...-1acccbe8-64e1-49ad-87df-215d5c87f050.json | 2 +- ...-1af5c5bb-0d97-4c0a-9174-4dee1ff8b185.json | 26 + ...-1b94c927-0445-4ed8-80f1-7b31418f60b5.json | 26 + ...-1ba485c9-951e-4e07-8e69-1d0efc372f6b.json | 26 + ...-1bea0610-432c-4cd7-8e0e-8b7bbd09d738.json | 26 + ...-1c12b1d6-d636-45c6-98f4-947ddb502cb0.json | 2 +- ...-1c3d966a-5995-48ed-919d-25b972010fe9.json | 28 +- ...-1c7df4f1-cee5-42c6-a974-29552552666f.json | 26 + ...-1c831708-28c2-47ae-a158-39f1f7b73406.json | 2 +- ...-1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081.json | 26 + ...-1d35c947-447f-4693-9ab0-32dff56e664e.json | 2 +- ...-1d399f67-090e-444b-b75d-eed4b1780f08.json | 2 +- ...-1d6fa472-a1fe-4657-a60d-c7f1c39b1653.json | 26 + ...-1dad5efc-395f-4b92-8f4f-3e987a4d5e57.json | 33 + ...-1dc35f79-0ada-4342-bd13-10d10c1b0335.json | 2 +- ...-1e6da55a-ab6c-4583-9e20-583f82096497.json | 2 +- ...-1ed4d007-6d30-4d5d-8df9-3800ed56e042.json | 2 +- ...-1f393d04-36db-4bae-a2a4-53ff12a1240e.json | 26 + ...-1f6b87f3-6749-4caa-98d3-265ebbe0ecbe.json | 2 +- ...-1f785984-791e-4612-be32-9ee6903a9c0b.json | 2 +- ...-1f804c9f-3b65-47eb-89f3-83edd0422fdc.json | 2 +- ...-1f87378c-49fb-4da5-8ed3-3672633d3713.json | 2 +- ...-1f8abf6f-0dd0-4449-b555-733fe7296177.json | 2 +- ...-1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json | 2 +- ...-1fd49958-9695-4137-9aaa-57fde4b97cc8.json | 26 + ...-1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json | 2 +- ...-1fd5badc-0e9f-462c-9738-550e7e8d8ae3.json | 26 + ...-1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459.json | 2 +- ...-2057ec71-a94f-49cc-b348-2eeb44899afd.json | 2 +- ...-206cc4c8-797e-427b-86f1-4c81df391c6e.json | 2 +- ...-2087b2b9-3b30-45be-abcd-4320bf0fa66b.json | 2 +- ...-2089201c-c1c6-4d92-a737-a6499e26ee7f.json | 2 +- ...-208fe57b-cf2e-4188-8a6f-77597cd60351.json | 26 + ...-20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json | 2 +- ...-20f66fab-7a08-4707-ac79-92dac5acd11d.json | 2 +- ...-21041206-da58-45c7-adb0-db07caebdcb6.json | 2 +- ...-21058f32-3d6e-4381-9288-5c2248e84cce.json | 26 + ...-21134484-2d59-46b7-b878-527121fff1e3.json | 2 +- ...-2138f4ee-5111-4469-92bb-1fc82a6822b4.json | 26 + ...-21470001-67f2-47cf-af21-784e5024ac1d.json | 26 + ...-214eb531-411c-4b90-9dbf-dc0183cbb919.json | 2 +- ...-2159458f-87fc-4479-81f4-a2521a378221.json | 26 + ...-21aa6331-3419-4049-b180-8349b71e1f2a.json | 26 + ...-21b6ec9c-8779-49db-bf19-90e81893a6e4.json | 2 +- ...-220140ac-d927-4d86-9335-c04aa6ee3c61.json | 2 +- ...-22448288-32d9-4d2c-be16-0784e119fff1.json | 2 +- ...-22548926-29b4-4882-9878-633375489c0e.json | 26 + ...-2289f005-7863-4af5-b681-cdfc03d3f111.json | 26 + ...-228b9a13-0545-4ecf-99ff-be02addaf7fe.json | 2 +- ...-22ba5443-ea49-4076-a666-722eb5352f70.json | 26 + ...-232c7049-7609-46a9-8bbe-38672713f853.json | 26 + ...-2346cbf5-b3c8-4110-a66c-6194251d4d49.json | 26 + ...-234da455-b795-4788-bc5d-22b4b58b2dc7.json | 2 +- ...-238f967a-0c29-4aa3-bbb5-3dc593473bbf.json | 2 +- ...-242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json | 2 +- ...-243ad7b2-546c-4bf2-a3c0-1438b13e197d.json | 2 +- ...-2452cc82-6ee0-4a98-a213-d5e3f3247e07.json | 26 + ...-245c8c36-28e5-4508-a585-7768cb33299a.json | 2 +- ...-24885921-734f-46c1-85d7-3f79e0b886d6.json | 33 + ...-24d17e8f-0c0f-41d1-aa83-8b69b8d30be5.json | 26 + ...-24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe.json | 26 + ...-250212f0-a149-4a14-af83-94f7fcedc021.json | 26 + ...-25281488-be20-4d83-89d1-1da7ea836037.json | 26 + ...-25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3.json | 2 +- ...-25e7ca82-2784-433a-90a9-a3483615a655.json | 2 +- ...-26254163-4f25-4d30-8456-ca093459ff32.json | 2 +- ...-2683e59a-dee3-485a-a355-ed2ee0a23d5d.json | 2 +- ...-268b9429-b1c6-4bc3-84cf-8512e8ef57a7.json | 2 +- ...-26d68f5d-6ee5-4d98-b175-943366ccc038.json | 2 +- ...-26e58427-a2bd-4e77-9939-16ef60a072e7.json | 2 +- ...-26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json | 2 +- ...-274994e7-1fe9-463a-9979-46c72107bf9b.json | 2 +- ...-276aa6a6-e700-470a-8f72-02537ba7be9d.json | 2 +- ...-2867f491-919b-463f-b689-bb3ceb7ae99f.json | 2 +- ...-287b247f-8ec3-4d8d-a521-050ac8c791ad.json | 26 + ...-28afd84d-a53e-4b2f-9bee-133f7da6982a.json | 2 +- ...-28e89bca-04a2-462f-9d84-d5dc4d55d98e.json | 26 + ...-296375b0-817d-4f42-afe1-4308f5edf973.json | 26 + ...-2971151c-0e8a-4567-84dc-01cf5dd35005.json | 2 +- ...-29b85313-645b-4fb1-b5c2-f580d111760b.json | 2 +- ...-29c2757d-c5f6-4c8d-bbdd-3629cb14dd81.json | 26 + ...-2a451896-81aa-4eed-a444-4d04661adeeb.json | 26 + ...-2aaa6840-47fc-455c-9b19-1d27c3afccbe.json | 26 + ...-2b62e4c0-9267-47bd-8f4d-0394b13fb566.json | 2 +- ...-2b7d57d7-3802-4b59-99c6-1e1597fe78d1.json | 26 + ...-2c641542-2e18-4943-849a-7141b7da4fcd.json | 33 - ...-2c6f9c9e-efa9-4a87-aadf-64b2aeeaa09a.json | 33 - ...-2c79920a-f2d1-4114-a1df-924835da645c.json | 26 + ...-2c8dd182-e0a1-469d-aa65-7a1f734d9b46.json | 2 +- ...-2cd79563-0f5a-44a1-9be4-6dc330855d64.json | 2 +- ...-2d07e32d-e9cd-4b19-86ad-4573824d6919.json | 2 +- ...-2d0bed1d-342b-44a0-aec8-e6d7c6596fa2.json | 26 + ...-2d65925e-f437-4557-bd8b-4c0d14ffd0b0.json | 2 +- ...-2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json | 2 +- ...-2dc39956-05d1-4dd5-86db-cb70568d73fe.json | 26 + ...-2e0769d7-088e-45d5-a262-6dbc91a95073.json | 2 +- ...-2e32e0fd-24cf-4a41-b56d-98ada9f1db8a.json | 26 + ...-2e377016-bb23-481e-b72b-a2ace8c72eb7.json | 2 +- ...-2e5f338d-92c4-4647-8fef-7c901ff774f5.json | 2 +- ...-2ecc567f-3aaa-4bd8-935f-4808d177a552.json | 2 +- ...-2ecf9476-b546-44ff-8547-4ca56cf7eeb8.json | 26 + ...-2f0d1a71-7cb6-4979-b072-a859d117d47f.json | 38 + ...-2f457bef-1721-4e0f-b236-24e4652a31b4.json | 26 + ...-2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json | 2 +- ...-2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json | 2 +- ...-2f9c25af-d2e2-4793-85bf-6e2696384a50.json | 26 + ...-2fbb7867-79c5-4d45-9876-98c4041dd72e.json | 2 +- ...-2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json | 2 +- ...-2fd8a76f-4663-4251-a16d-e1f105a854f9.json | 26 + ...-2fe222c4-cc81-473d-956e-235e2961a5c3.json | 26 + ...-2ff82993-5010-4450-89e7-341f449f3263.json | 2 +- ...-2fffbea8-c031-4de8-a451-447bbbe3e224.json | 2 +- ...-305866af-1f36-49e0-a57d-d5faaf29011c.json | 26 + ...-309e4558-e591-4d03-9bb9-07d30acf011f.json | 2 +- ...-31203165-79d0-42e5-81f1-62150dea2c43.json | 2 +- ...-31897c41-1d47-4a34-b531-21c3f74651a8.json | 2 +- ...-31bf1721-78a2-4b6c-b325-5c44dc02ea33.json | 2 +- ...-31d7e048-92fc-4b63-b0d5-28b64b39797a.json | 26 + ...-3212de2a-6635-4b95-aeb4-9c0744aed2ce.json | 26 + ...-321fc522-bc6b-4975-bee4-9098624d1e8c.json | 2 +- ...-32438a90-406c-40f7-a5ac-a1ca92cd51d5.json | 26 + ...-327916f7-fe5d-4858-adeb-f72f74c60c25.json | 2 +- ...-327f65bc-8a33-4dbb-88d4-714a9e42442b.json | 26 + ...-32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b.json | 26 + ...-32d15d1a-04ba-4035-907a-e2871425e8d1.json | 26 + ...-32dbed4e-4dbe-4872-a013-c96111ed102e.json | 48 - ...-33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json | 2 +- ...-3334e647-fd5d-481d-a7f9-66f73911a57a.json | 26 + ...-33486e89-f0f4-4507-9f13-48a8f22c8ac8.json | 2 +- ...-33bc3e6f-e8cb-40ea-8088-3de39e2490a7.json | 26 + ...-33e33c74-2f17-4bac-bbba-bf4f2a2035e5.json | 26 + ...-3439d550-61d5-40b4-a514-341509d3f701.json | 2 +- ...-3471632d-253d-469e-9e8c-3b291b4ae88a.json | 26 + ...-3478c49c-594b-4224-b7f9-2b0b09c67288.json | 2 +- ...-34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json | 2 +- ...-34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json | 2 +- ...-350814da-5c36-42f9-8e58-8f9534e6ce0a.json | 2 +- ...-351e19c4-c16e-493a-9800-a433107aacf1.json | 2 +- ...-3526acc8-8834-4aaa-87a5-51e587360cf5.json | 26 + ...-352ed52c-88ba-4731-a917-4c33da0f29d4.json | 33 + ...-35cf6922-d48f-42ea-b7f5-f0258892bd52.json | 2 +- ...-3618a010-b94b-4974-b1be-7630d5c853c1.json | 2 +- ...-3663f10d-4a2c-4d37-bf5f-337c9891c2f4.json | 2 +- ...-366a4cd1-aa95-4985-9d80-b45a2551e298.json | 2 +- ...-368558ce-e8a6-4375-b54f-47c2ab31e38d.json | 26 + ...-37048032-b41d-47d8-9c73-7b706bef24d1.json | 26 + ...-372c2e72-d56a-4501-a3bc-31b6b0c8d0be.json | 26 + ...-3731962f-64e7-4750-ac8b-40b97eef8725.json | 26 + ...-374837a0-6109-4c95-bee6-893b25ac71cf.json | 26 + ...-375b7e67-8b3f-4102-9e3e-7e356b6c8bf4.json | 2 +- ...-37abb3d5-24fc-4397-844e-07548d324729.json | 2 +- ...-37aeaf27-6bbe-4949-ba77-37649e38f8b2.json | 26 + ...-383e242a-72d4-4b40-8905-888595c34919.json | 2 +- ...-3843dcca-62a2-4224-9241-05f981fa880a.json | 26 + ...-38a3c86b-c9bb-4a65-87c9-55429c68684f.json | 2 +- ...-38bda770-c470-4358-a9ad-a5b39bec026b.json | 26 + ...-39452123-574f-4f3a-95ec-a90170a3d7eb.json | 26 + ...-399126a9-815d-4c3b-9d5e-f57d698ac742.json | 26 + ...-39963a04-9675-4fa4-87ea-1b34145cc569.json | 2 +- ...-39e5a489-f557-4130-a285-e0a82f40685c.json | 26 + ...-39f785a8-4175-4d3c-ba64-e20ad4bc2584.json | 26 + ...-3a20ed21-5e69-4a16-a0e3-bace3eba9974.json | 26 + ...-3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json | 2 +- ...-3a76a181-8706-4bc4-9c66-7e809fec44ca.json | 26 + ...-3a7d1db3-9383-4171-8938-382e9b0375c6.json | 2 +- ...-3aa2691d-d88d-4467-ae3e-242b3bac22ea.json | 26 + ...-3aa69e19-f55f-4531-a26e-eb67d6ea24ee.json | 2 +- ...-3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json | 2 +- ...-3ad966be-8cb2-42e6-b696-ef9e3b512e35.json | 26 + ...-3b6567a9-6213-4db4-a069-1a86b1098b63.json | 2 +- ...-3b7f39cb-0101-49b0-ab02-a5adb1672688.json | 26 + ...-3bc61c8f-3d04-40bd-8239-a15913056bb2.json | 26 + ...-3be8045a-1f0d-4460-a76b-ae830e74c1e0.json | 2 +- ...-3be9d4d1-17e1-4f3e-b22a-edad8cf0c343.json | 2 +- ...-3bff265f-7ab9-4dae-b7a3-a5d9bc586f35.json | 2 +- ...-3c341d13-938e-4535-ac75-10a79abc7017.json | 2 +- ...-3c5bc8de-a7a4-4bda-a82f-8d149ec927f1.json | 2 +- ...-3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json | 2 +- ...-3d20dad6-fb53-4d74-bc7e-54b9b88e1529.json | 2 +- ...-3d3c5d24-be5c-42e8-98ca-3b04382df39a.json | 26 + ...-3d4ea0e2-9f51-40f9-a22b-8265f696fd83.json | 2 +- ...-3d676c1b-2650-4599-8a57-790c55f9977d.json | 2 +- ...-3da977ab-c863-4e6f-a5b7-68173160da00.json | 2 +- ...-3dc3aec5-0056-46e8-8073-a7e32d3d929d.json | 2 +- ...-3dd15958-b159-4d01-b3c2-37bdf9b417b5.json | 26 + ...-3dd35c9a-146d-4370-80ac-69fed35d81a1.json | 26 + ...-3dde2b07-7c30-4a18-a9df-f85db84f9b14.json | 2 +- ...-3e956d93-e011-40de-ab1b-3f32fa73ae41.json | 2 +- ...-3ed98d8c-de30-499e-9a62-eae0207519f4.json | 2 +- ...-3f07067f-0cbc-489c-8722-a33399ebd4f9.json | 26 + ...-3f335e8f-68da-4b06-9d96-f371ddaf23e6.json | 2 +- ...-3f5f9f9d-9bb3-4461-b85b-501f6077e7b8.json | 2 +- ...-3f76d408-be8a-478e-8a5a-aab1d1f96572.json | 2 +- ...-3f92c11b-f6e2-4c07-9913-9fa7469ba4fe.json | 26 + ...-3fb86696-1d56-42d5-a73d-044a78b588fe.json | 33 + ...-3fe69c6d-6722-44ad-bab7-e34981d68daa.json | 26 + ...-4011b9e8-317f-40b9-bd3c-3fb1e99c6542.json | 26 + ...-40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json | 2 +- ...-4059da6f-b52b-4265-8bf9-3ad6154dbde4.json | 26 + ...-40f63b01-dc59-475d-826a-74f38c6e81b9.json | 2 +- ...-413c1c41-6ef9-413b-a75a-e67f1668b3db.json | 26 + ...-41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json | 2 +- ...-41b87fd8-6e4d-4e53-a282-c85292fdaa22.json | 2 +- ...-41dbf626-b968-4b51-9f7d-aaea14d39b4d.json | 26 + ...-41ff63a3-ddb9-47fb-8d92-bed74ed0d41d.json | 33 - ...-4211c12a-57cf-4ebb-910a-6af7aa09cf34.json | 2 +- ...-423271c0-04dc-42d0-8e27-fb0b6067e096.json | 38 + ...-42508a8e-44d5-4af1-9e66-bace5fc94734.json | 2 +- ...-4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json | 2 +- ...-42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json | 2 +- ...-432b2dc0-52ff-488f-a5e9-c1e510fc7a0b.json | 26 + ...-43344cd7-5004-4dac-8b62-8899105fa265.json | 26 + ...-433539bf-cb17-4de1-9c0f-e579b041514f.json | 2 +- ...-4369da69-bb09-4cc8-8600-081a450f50e0.json | 2 +- ...-43777394-ff59-4261-b1cf-b41a1f4f4d8b.json | 2 +- ...-43bdf580-b98f-49cf-92d5-3dac50450c86.json | 2 +- ...-446c95ea-5178-4ae9-8f92-cb20dd50f7de.json | 2 +- ...-44c6bc32-d2e5-42f5-8c2e-42f305cb589b.json | 2 +- ...-44c857cf-7a4e-405a-87ca-7f6d79000589.json | 2 +- ...-4508bdef-9528-47ae-804c-bc59d1e694e7.json | 26 + ...-456ff399-4925-45d4-aa84-d930eae5348e.json | 26 + ...-45aae58e-1d09-49de-b4c2-837c6f1d5d8f.json | 26 + ...-45d14170-7f7b-4e08-b53f-42fa4a3a04d9.json | 26 + ...-45ee1822-71e4-4d92-976d-306561b70555.json | 2 +- ...-461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json | 2 +- ...-4631bf49-da0b-4415-a226-112c99ff0f64.json | 2 +- ...-46332a77-2fd6-4033-96cf-6163172775ec.json | 2 +- ...-4653847b-c089-4435-9159-6f76353833f7.json | 26 + ...-46690df4-ddac-4ed4-8987-8706ae68a0cf.json | 26 + ...-46798892-d849-43fe-8147-b40cc9da291e.json | 26 + ...-46bc86e4-e20b-4778-80d2-8891039e6fb4.json | 2 +- ...-4768c731-3be9-44b8-a217-dfbececa57d9.json | 26 + ...-478cef79-cf4e-4b37-9562-b45cdeb088a4.json | 2 +- ...-47f15a06-8675-4698-833d-bd141ed9e755.json | 2 +- ...-483719ad-c973-4210-b059-14e87dbd45f8.json | 26 + ...-48489baf-56c2-423e-964a-0a61688e4a19.json | 2 +- ...-491455dc-f7c8-4e12-811b-b8c5c041b4c3.json | 2 +- ...-49242ea8-4813-49f7-8bd4-9668216cceeb.json | 26 + ...-4966e63c-ca05-466d-91f9-41d799a54471.json | 2 +- ...-4981a944-b3ad-4d78-9881-a17d458e3422.json | 26 + ...-49966e16-04a2-4fd7-86cd-aa934040a9d8.json | 2 +- ...-49d38b21-5ce5-48d9-a356-639fc6c7a53d.json | 2 +- ...-49d941a6-4da2-4516-92d0-1bc64554b2f2.json | 2 +- ...-4a641966-3cc8-4dd6-aa61-1a96cfff4a05.json | 26 + ...-4a7340fc-0eec-4459-a491-952d736b79ef.json | 26 + ...-4ad48410-efd9-41c0-ac59-e4343d3b9198.json | 26 + ...-4b57e41c-246f-44b3-b259-1811d5275e10.json | 2 +- ...-4b6a964f-af5c-4ec2-a309-c1ae6b929596.json | 26 + ...-4b853b7c-bc55-4599-b88d-d08d651526c0.json | 26 + ...-4b98b72c-a093-4917-a21b-a0b4f388e98e.json | 2 +- ...-4c1df272-9c2a-4647-8d05-3c0de1613e12.json | 26 + ...-4c53b294-973f-4cc2-a781-6c86b8f1c962.json | 26 + ...-4cce6bf1-1aa9-483d-a733-d6e52e091419.json | 2 +- ...-4d407dda-944a-4974-b1c2-0a04d2c9ee4c.json | 38 + ...-4d76274d-75bc-4cd0-be6a-3d5d99f73cb7.json | 26 + ...-4d7eecfc-4dd6-470c-a604-4c8239ac2be4.json | 26 + ...-4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json | 2 +- ...-4f3a843b-18e7-46e8-8285-9102a2fe62e5.json | 26 + ...-4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93.json | 26 + ...-4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9.json | 26 + ...-4f83cc15-274d-44c6-859f-e598e362e76e.json | 33 + ...-502a0b7e-048a-468a-b888-e91fde47c6eb.json | 2 +- ...-503c5256-b611-437e-a4ef-2ee1fd20ab29.json | 26 + ...-5041e17d-6349-4589-8c61-7b43964b5f9b.json | 2 +- ...-50a2b289-7bce-405d-8515-c2b5424cce5c.json | 2 +- ...-50b3247a-ea71-455e-b299-f00666c05146.json | 2 +- ...-50c20664-75dc-451e-b026-67b1d309e4b5.json | 2 +- ...-5131c799-517c-4bad-ba97-46ad7de956e7.json | 26 + ...-51eb15a3-48af-470f-94c0-10f25b366d72.json | 2 +- ...-51eca7b9-6330-48a8-badd-65ed3e9d3639.json | 2 +- ...-51ed2f2f-d7e2-4699-b6bf-8da9d0361d59.json | 2 +- ...-51f9963c-c041-4bec-b482-5fda2fb5bca4.json | 2 +- ...-5201c576-70a5-4b32-8dfd-dd8ac86f096c.json | 26 + ...-520aad6a-2483-45bc-a172-2417137f6ca0.json | 2 +- ...-5212f36b-216f-4e32-8b64-3b4c94dfada5.json | 2 +- ...-523777f8-4780-4716-807c-08a67450b916.json | 26 + ...-524ffb0f-40ae-4c97-a098-d14001fffa31.json | 26 + ...-52855d5d-e835-470f-a675-751c2779c861.json | 2 +- ...-52bfd00c-2e5b-4e43-bba6-f3b46e241d7b.json | 26 + ...-52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json | 2 +- ...-52e828db-58d0-443e-8d94-54d265d9606e.json | 26 + ...-531e0589-0dad-444d-aca4-6198ba5d9fcd.json | 2 +- ...-535c5160-17e0-44eb-9f4b-1a8e216b56a2.json | 2 +- ...-53a54e4a-2b38-4b0c-8f60-252a68767443.json | 2 +- ...-53af6987-21bb-46fd-bf85-e3eeaa74de1a.json | 2 +- ...-53d7a78d-1431-49e8-944c-62c875e58a20.json | 26 + ...-5424e327-396f-4b07-94a3-408ffc915686.json | 2 +- ...-5425d1cd-8840-4640-90a3-72f3bd7151bd.json | 26 + ...-544e996c-0bdc-42b2-91af-14c27d4213b9.json | 26 + ...-54a7bc3f-c05f-4fb3-a980-ffc8750a0a56.json | 26 + ...-54a977df-ca85-43b2-b2bc-96fdcd23aa9b.json | 2 +- ...-54e73627-95de-4e6e-abf0-d93e20a1fe8f.json | 2 +- ...-54f6293a-1ccb-4dcb-b85c-9a2a57daddb9.json | 2 +- ...-55f3dd59-08be-4e23-a680-b6db7850b399.json | 2 +- ...-56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json | 2 +- ...-5677e801-bd49-404b-b54a-6b00da52530c.json | 26 + ...-567acebd-4ba2-4723-a74d-514992321ccc.json | 2 +- ...-56896f6b-27fe-4396-bfea-d3c1a7580b18.json | 26 + ...-56dcc2d7-5243-4a5d-a556-8723642e98a4.json | 2 +- ...-5714c88f-ca54-46b6-b072-cd1d24714ae0.json | 2 +- ...-57510758-786a-4f0a-aab2-101eaf4e7b9f.json | 33 + ...-575f0e0b-d68d-432b-abb3-cbd3e641fc88.json | 2 +- ...-5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c.json | 2 +- ...-577b53a0-44ff-4cc4-b571-455d61e596c0.json | 26 + ...-578117b2-0f4b-4d75-a2dc-3ee45976e616.json | 2 +- ...-57e8711a-9aae-4a22-94d4-f4c8a3a8f141.json | 2 +- ...-5804ae3d-0daf-47a5-b026-d42878f55803.json | 2 +- ...-58269882-7e8d-4d24-b7a3-dbef6196cb61.json | 2 +- ...-5886d4a1-2d4c-40d5-a689-69c475ab6ee2.json | 2 +- ...-58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json | 2 +- ...-58a95ec2-0079-4d58-a7ed-02664c1095ba.json | 26 + ...-58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json | 2 +- ...-58f5c89c-7ed2-4e14-ac07-6e95da16e2f1.json | 26 + ...-5901e8b3-7df0-43e0-bdc5-f4fd2792a572.json | 2 +- ...-590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json | 2 +- ...-5914a482-dbb7-429d-96f3-77f0588ac12d.json | 2 +- ...-591620d3-5549-49db-9080-43f86a68a590.json | 2 +- ...-5968cbde-b3da-46df-a8bd-a30c2d85363b.json | 26 + ...-59b53303-e4df-49ec-8e5a-812f2b4265a8.json | 26 + ...-59c65014-1fee-4c2e-9ece-9883159bbed2.json | 2 +- ...-59cb471f-ad8b-464f-ab8f-c267f329b0dc.json | 2 +- ...-5a16cecc-4017-4ce8-97db-01cb66a1528e.json | 2 +- ...-5a97008b-c23b-4890-ba76-c30cf2a18fba.json | 26 + ...-5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json | 2 +- ...-5b14c813-09e2-4709-ab42-94830cf9538c.json | 26 + ...-5bb313a8-8407-4ec1-a4b0-683ded7f3302.json | 2 +- ...-5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json | 2 +- ...-5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json | 29 +- ...-5c0bdf4c-233f-42cd-8900-2a5cc8c9387c.json | 2 +- ...-5c61c8a2-bfff-43fb-8397-bff864413d74.json | 26 + ...-5c695f49-6c76-4818-88b6-4db2bf029e43.json | 2 +- ...-5ca1d677-b41f-4f1e-b86b-f5637a418829.json | 2 +- ...-5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json | 2 +- ...-5d33de22-35b0-47fa-bc63-f984522340b7.json | 2 +- ...-5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json | 2 +- ...-5de6bf53-0a02-439b-a8d0-248fa9640a36.json | 2 +- ...-5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json | 2 +- ...-5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json | 2 +- ...-5e324da5-0fee-4dac-b289-410d560e03e9.json | 26 + ...-5ee01089-2ab6-4cf5-a39d-adf72666eceb.json | 26 + ...-5f03ee5d-534c-454c-aae3-b41130b00286.json | 2 +- ...-5f5c38f6-aa3e-4447-a2d3-a76830ab36b0.json | 26 + ...-5ff26c96-c610-4669-b44e-d6318205be5a.json | 26 + ...-600f0115-94e3-49bf-afa6-0180b3367b94.json | 26 + ...-604a9bf0-81a3-425b-9005-779c4f0f749d.json | 2 +- ...-604e1830-11ac-4ccf-a1d0-b22b80c1b024.json | 26 + ...-605f3853-b007-4134-8a2d-6a81a35e7676.json | 26 + ...-6157408d-1eb3-4445-8d8a-14619458954f.json | 2 +- ...-61668e93-6d9d-418d-9fbd-2d88c3a66544.json | 2 +- ...-6258c355-677c-452d-b1fc-27767232437b.json | 2 +- ...-62abe387-10a2-414b-881c-060b70db2157.json | 26 + ...-62e818b8-38e6-42ff-9424-9a327332eb2a.json | 2 +- ...-632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json | 2 +- ...-63323b12-86db-4b91-a701-90daf3f98f7c.json | 2 +- ...-63453d2f-30f6-40ab-b32c-506d940ecd20.json | 2 +- ...-636baf5a-1a1c-476b-bc54-fb27b27b58a2.json | 2 +- ...-639148fb-d0a5-4a2f-b6a3-a5ceb83d620b.json | 26 + ...-63ca148e-12c9-4090-b51e-a8fb7a847a2a.json | 2 +- ...-63f863e5-7c00-4474-8e43-bbe8bfb05cc3.json | 26 + ...-641813ea-66a9-4949-848f-db83420aac39.json | 33 - ...-642cae89-bb5c-46f3-9fea-8d747b930c35.json | 2 +- ...-648c6649-5861-4b43-a7e5-a9665bafb576.json | 2 +- ...-64db6a39-64d2-4999-97d7-91c28c32f42e.json | 2 +- ...-652a68a2-a26b-4e8c-86dd-fd83187ed043.json | 2 +- ...-652c1e77-cfea-4452-9762-5ba16f874119.json | 26 + ...-655e2f91-5d43-4c47-b7e0-8248b351f3ba.json | 2 +- ...-6573327e-3757-424e-8570-04ffe7d5d0e2.json | 33 + ...-65a45501-10de-46a2-89bf-03bbf17aba33.json | 2 +- ...-65aa5a0d-926c-4b04-9509-f66a99639877.json | 26 + ...-65adbdda-7069-40ed-9825-b79ec87e4916.json | 2 +- ...-65d42e15-749b-4f86-86c5-b9f1da1e60c5.json | 26 + ...-65e25631-05de-4ce2-88cc-52f91cfbdaf2.json | 26 + ...-6603a100-d655-4e6b-8d38-73c11b89dde4.json | 2 +- ...-6637d8e6-6578-4d15-a993-d63ced4c4464.json | 2 +- ...-665587ee-1524-4334-9580-2b448c417542.json | 2 +- ...-66738beb-0a33-4d70-baec-8307b5b34f80.json | 26 + ...-6681bc38-0b55-4714-b690-c609956b40bf.json | 2 +- ...-668f8c4b-225a-4287-ac5b-7717a4f75b5d.json | 2 +- ...-66af47d7-c430-4ac9-8020-fd79b7059037.json | 2 +- ...-66d041e2-d9e8-46cc-88ee-8e5c1cec8702.json | 26 + ...-66d637a0-4874-4b12-bd3a-b408acb06d26.json | 2 +- ...-66f79019-d52c-46a6-b605-c2335d1d3d20.json | 2 +- ...-671043a9-337f-411a-9ca9-3112e897ab09.json | 2 +- ...-6754195a-99cd-4b45-bafd-4a374ae79bbd.json | 26 + ...-6795c92f-848f-488e-9c25-d240f99c9b34.json | 26 + ...-679d216f-9bf7-428a-8d5b-72a84d6d45ab.json | 2 +- ...-679e7b8d-57d7-4c1d-8f42-1496606ea666.json | 2 +- ...-67ae8423-c401-4c11-93d3-0454c288d934.json | 26 + ...-67dae594-4239-4756-a0bc-dee75de19e4c.json | 26 + ...-67e11f38-9f68-4989-8de3-da65af52063e.json | 2 +- ...-6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json | 2 +- ...-685249f9-e51a-4914-8b7f-09679e04198b.json | 26 + ...-686cbd74-ef49-4e77-9599-21777d3a4738.json | 2 +- ...-688d2041-5c8b-47e0-86e1-a8d16134bdb1.json | 26 + ...-6895e54e-3968-41a9-9013-a082cd46fa44.json | 63 +- ...-68d30c45-766f-48b6-9405-0c969243332b.json | 2 +- ...-6902da63-3b59-46f3-99e0-6008dd47ab70.json | 2 +- ...-69146c10-d3d0-4f69-8164-9c21a1a4e10b.json | 2 +- ...-692324b4-064a-430c-8ffc-7f7acd537778.json | 2 +- ...-692ff921-c74d-40a4-ab31-879aba5f247a.json | 26 + ...-69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json | 2 +- ...-698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json | 28 +- ...-69cf4015-fae1-47f6-9253-1f99209288a5.json | 26 + ...-69f4ed24-c2f7-49e1-99a2-350cc2795820.json | 26 + ...-6a476f56-2c07-43be-8054-d978ee8eb924.json | 26 + ...-6a5922e1-e282-464d-9e71-ce2c2ed44908.json | 2 +- ...-6aa080d0-6e25-46e5-91d8-4af11f01ceef.json | 2 +- ...-6acf3236-d7e6-416c-90e5-5cf6bd89e01d.json | 2 +- ...-6ad39b3a-a962-457f-852c-be7fc615e22f.json | 2 +- ...-6ad3b5cc-7ba1-4287-8c05-d02385f84f72.json | 26 + ...-6b54f354-9059-4366-8077-87360c4db2ab.json | 26 + ...-6b5d2643-b399-43aa-8ab1-7557a0446b07.json | 2 +- ...-6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json | 2 +- ...-6b987f2a-3d07-4791-9c1c-e4f6818521e8.json | 2 +- ...-6baa9172-04e4-416d-a009-668cda23fd5d.json | 2 +- ...-6be102a8-5d9c-494e-a8ce-7b0a1c86a863.json | 2 +- ...-6be3917c-aad7-4a3f-bea2-23e4ba4310ee.json | 2 +- ...-6be4cef2-3d54-4cd8-97df-8a8b37c03605.json | 2 +- ...-6bf14e79-3287-4b9e-b222-9d527530df1e.json | 2 +- ...-6c15ec9f-2b48-419c-adc1-f989833f6187.json | 2 +- ...-6c31c795-935a-41ad-8db1-d74430f4a553.json | 26 + ...-6c470aa0-b119-4078-80fc-2b66a4d6eac4.json | 26 + ...-6c9c1c11-c996-4d2b-bbed-d73ae30efd2e.json | 26 + ...-6d1906b4-e815-4688-86f1-ce61d403f8c6.json | 2 +- ...-6d822f86-5793-403a-b176-5d533f6b81b3.json | 2 +- ...-6e329090-fc8c-4a7f-bbf9-08067ad9ebe5.json | 2 +- ...-6e3c2c04-0838-4863-80a7-d73ef5ac6a64.json | 2 +- ...-6eaf727c-fec3-4e63-8852-eee27c44d596.json | 2 +- ...-6ed07095-c23a-4676-807f-a544deaeb274.json | 2 +- ...-6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json | 2 +- ...-6f1479d9-dfd4-4baa-abd5-9847781ef9bf.json | 26 + ...-6f2c2043-6487-467a-bb49-e8cd2509ae9f.json | 2 +- ...-6f2ddada-d7df-4788-b5d1-9add185142e0.json | 26 + ...-6f72c60e-2739-40b6-b6a9-66d2a3d1833e.json | 26 + ...-6f950c91-125b-46a0-aa40-239b4de2306a.json | 26 + ...-6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json | 2 +- ...-6ff846b1-9444-45f1-837a-4eeeb16bdfe7.json | 2 +- ...-70113c21-85f2-4232-8755-233f93864277.json | 2 +- ...-7041d8e5-3b74-402a-86b3-fd59def80632.json | 2 +- ...-709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json | 2 +- ...-70a9010c-6943-4274-b854-50901c3e5a0e.json | 2 +- ...-711f17c2-c9f6-4d8d-bf79-117fcdc592c0.json | 2 +- ...-71422483-33e4-4131-a4ec-40322d91d8a0.json | 2 +- ...-71a2c3f5-7383-4bd8-a830-dc2aae62a977.json | 26 + ...-71c81024-ea36-4853-940a-cd9d4cbcabed.json | 2 +- ...-71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json | 2 +- ...-71e9230d-eec8-4ce1-bc96-9288bacc8b13.json | 2 +- ...-7258c355-677c-452d-b1fc-27767232437b.json | 2 +- ...-72bfda0b-31e9-4958-8d40-6efe816d9989.json | 2 +- ...-730580d4-d68c-407f-9d09-f379e9aefc7e.json | 2 +- ...-73093c08-ea39-4956-8bff-55e15f6630cd.json | 26 + ...-739e7b8d-57d7-4c1d-8f42-1496606ea666.json | 2 +- ...-73a48431-3597-4a72-acb8-c1e5019073e2.json | 2 +- ...-740082b7-2411-473a-a59d-4d46cf12f8b5.json | 26 + ...-7411b05d-209a-4907-83ce-00ab1538fbac.json | 2 +- ...-745b5268-f2b3-499c-a6a4-63d7e8667ff7.json | 26 + ...-74b66248-2cb6-46ea-b52c-c7d60c170f3f.json | 2 +- ...-74ec9ce5-3155-488c-ae56-570c47a1d207.json | 2 +- ...-75366cbf-e45f-4cfd-9e76-5af4dfe10766.json | 2 +- ...-754521fc-4306-4daa-831b-6b6fb45847e2.json | 2 +- ...-7584e57f-1258-4c47-b18d-99019a586e6c.json | 26 + ...-758773e3-d23d-44db-b5d3-643cde5b41f1.json | 26 + ...-758d5818-f919-4a6b-9dc2-a212595a11bd.json | 2 +- ...-75a60046-c4d7-498a-b256-9a93b5992dcc.json | 2 +- ...-75c27f4e-d1e3-490a-9793-a6fc8e326a48.json | 26 + ...-75e6adae-06a7-47e9-878e-74ca73004c3b.json | 26 + ...-76537fd7-5782-4a8d-9b54-117b168a4306.json | 26 + ...-76654cf3-5cfe-4bf4-b134-806fd75b1ddb.json | 33 - ...-76b8bbce-1c65-4337-a4d7-320c594dc29e.json | 2 +- ...-77566f94-5e26-41c9-892f-2f62b395afe7.json | 26 + ...-77821dbb-367e-455f-bcae-b87412e88f1b.json | 2 +- ...-77f3a64d-227d-487f-8484-89007e05b59f.json | 26 + ...-78881a3d-59ad-4fbb-8bd2-69388a068584.json | 26 + ...-788a2994-f3fd-4ac4-9ef3-06a72a4e1631.json | 26 + ...-78972893-5d8c-480f-a05d-481adc0c8bb0.json | 2 +- ...-7912946d-1605-465a-a55c-36bb104235ab.json | 2 +- ...-792324b4-064a-430c-8ffc-7f7acd537778.json | 2 +- ...-79235599-e23f-43cb-9c56-1eb22b7c4664.json | 26 + ...-79324bdd-cdab-4d0a-af60-af1047c1d117.json | 2 +- ...-79407d1e-8e16-48c1-939c-ad92f91dd988.json | 26 + ...-798919d3-df8b-463f-b2be-4c1aa8089384.json | 2 +- ...-798de2f3-218b-4622-a62c-84e3840d45a6.json | 26 + ...-79c6d710-baf4-411e-a3f5-9cb8d42b7c19.json | 26 + ...-79d05cb2-ded0-4847-b52e-af7af421f303.json | 2 +- ...-79fccaf1-3592-4af0-8a47-1d325b9fd5a4.json | 2 +- ...-7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json | 2 +- ...-7a79ff35-319a-4e7d-b8c7-72f0bb0f8978.json | 2 +- ...-7aa93b40-80da-4bb6-8a7c-88e5f5e44669.json | 2 +- ...-7b1e00af-11fb-4862-a193-55dc9b6652c0.json | 26 + ...-7b814e39-71fc-4e99-b46f-b24eca6cc780.json | 26 + ...-7b95b2aa-9561-494f-8e02-d36edc14e38b.json | 26 + ...-7bb1dbec-7314-479a-9496-86f8e25041eb.json | 26 + ...-7bbe6ac7-d0fb-40e4-8537-bdded7173f07.json | 26 + ...-7bd46875-7d59-4d65-8f9b-d48d3cb54a84.json | 26 + ...-7bd6e5e4-6614-41ed-8a84-8eb633a91e07.json | 2 +- ...-7be2d11d-87be-4d1c-8f5b-b7e59ad191ea.json | 26 + ...-7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json | 2 +- ...-7c1eee62-3307-4e25-8a20-919ccd56ec1c.json | 2 +- ...-7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json | 2 +- ...-7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd.json | 2 +- ...-7c329018-b591-42c4-8806-4d02ccd47476.json | 2 +- ...-7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json | 2 +- ...-7c433b29-0ad3-4574-990f-e3d6291e7f23.json | 26 + ...-7c85bff0-8f70-479e-9365-fef1e3fe2b95.json | 2 +- ...-7c893581-c847-495a-aa93-9d98c516e1ae.json | 2 +- ...-7d0ec383-4c5d-474d-9262-3f3c0d6c05b1.json | 2 +- ...-7d2db896-3051-483c-bc53-ca21832ee085.json | 2 +- ...-7d3ef0e3-560c-4e46-a0b4-dd1efc29e835.json | 2 +- ...-7d42ba22-9595-4463-8dda-c0e47a154fed.json | 26 + ...-7d5759cd-890e-4ec5-b92b-aba225d52960.json | 2 +- ...-7d66eae7-0dd4-4d21-ab07-8f7e350a7105.json | 2 +- ...-7d6c4a00-acde-40af-bf91-a4ef009cf135.json | 2 +- ...-7d752615-33f0-44ed-a156-25d84f384e75.json | 33 + ...-7dad75e6-f569-4bb9-ad75-5eda55dff0b1.json | 2 +- ...-7db9687b-7099-4cb6-a040-bc32fc549a81.json | 2 +- ...-7dedeb73-ef90-4282-a635-cc37326773af.json | 2 +- ...-7e87ce08-a428-4e55-876e-80d2760121a5.json | 2 +- ...-7ebee5d3-ce7f-436c-8b4a-087363d6b858.json | 26 + ...-7ed1ad67-942a-424e-ad81-8b69a4f0c706.json | 26 + ...-7efa1a31-da21-4925-aab0-96a012d5b2a7.json | 26 + ...-7f1e688d-65f7-4737-a4ba-ee482710f8ec.json | 2 +- ...-7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3.json | 2 +- ...-7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5.json | 2 +- ...-7fdaa9be-aecf-459f-b028-7c35dc8b6451.json | 2 +- ...-7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json | 2 +- ...-808174b7-3ab0-45b5-963e-5c10dd749e3c.json | 2 +- ...-808c57e7-72ef-4860-b9ea-8ea072e2385a.json | 2 +- ...-80a69b56-337d-446a-8167-8b9f63083c4f.json | 2 +- ...-81055366-e78b-40e0-a799-4b536ba03db3.json | 26 + ...-81117328-e2bb-431c-a1ca-6ba7e6816637.json | 2 +- ...-817ae105-3ddf-4766-9d26-ca1ec3c64eb6.json | 26 + ...-81806f43-c9aa-486e-8032-4e4665ba0d39.json | 26 + ...-818ce9d0-8fc2-4a34-a062-f0e6995bdf32.json | 26 + ...-81add433-49d8-43ec-85d5-f48fe80e56e7.json | 2 +- ...-81ca994a-b350-424d-8f39-a0b64aa76260.json | 2 +- ...-82b20c35-88c6-49aa-8241-a59512b17b74.json | 2 +- ...-8334b3ab-f17f-460e-b627-ad85fc9c2409.json | 2 +- ...-83a964cb-730c-44e4-859b-b5246159396b.json | 26 + ...-83c29179-4805-403a-acf5-5151c4d2e556.json | 2 +- ...-83c8c216-7ff7-4bd3-9db4-573469628d95.json | 8 +- ...-83e5ebce-8d5d-43ca-a47f-ecb50ae8993a.json | 2 +- ...-841ec349-0f4c-43fa-89b8-ef3656497fc9.json | 2 +- ...-842a2b85-4e77-4eb6-99e1-c4a231aadf48.json | 2 +- ...-84671396-a556-4a5d-9bb9-cac697277371.json | 26 + ...-8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65.json | 26 + ...-84e535be-960a-450a-91f9-4dc8c5e3f69d.json | 33 - ...-84fa50ff-bb84-4ab6-b759-658c57532c42.json | 26 + ...-84fd1e14-44a8-4eac-9bfc-67b50ea1acf7.json | 26 + ...-8530c1ea-fe9f-4b04-be34-7404d5e30e75.json | 26 + ...-868db512-b897-4a54-ae56-ac78f6c93a14.json | 2 +- ...-86a8d6aa-beff-4343-a0b2-dd099202b2dc.json | 26 + ...-86b868be-3e59-4497-9aa9-a2cd951a8f72.json | 2 +- ...-86c94552-de59-453d-ac06-28a6a64db930.json | 2 +- ...-86d45e92-80ba-4f97-b3a3-03ad3469658b.json | 2 +- ...-86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c.json | 26 + ...-86ede365-4539-4475-b90b-9b3bfd2dbe97.json | 2 +- ...-86f1655a-db46-4d49-9051-6653da83eb13.json | 2 +- ...-874752f4-59a2-46e9-ae28-befe0142b223.json | 2 +- ...-87c8ab74-576d-4962-b641-0762d374d1e8.json | 2 +- ...-87eb5825-c918-444f-8da5-67da9eea9906.json | 2 +- ...-880161a4-d6c9-4e5b-a78d-39319cfa43ab.json | 2 +- ...-881ef4ba-a480-44de-8ab6-be2cdc87dcce.json | 2 +- ...-88edcf36-a6f2-474f-b9c2-7800b34919a2.json | 26 + ...-892c0bff-17b6-447b-a213-6a3189a1df82.json | 2 +- ...-897cfc36-4253-4e1e-8825-726dbe9088a2.json | 26 + ...-8985cd3c-1429-4681-ad2e-9b3e46588a44.json | 2 +- ...-8a06c15b-b7e5-4374-9265-8d9020e126cd.json | 2 +- ...-8a07f92e-9384-4967-9cd9-ffa08a0e55bf.json | 2 +- ...-8a604466-8437-4fe6-b6db-ec8fb05d702a.json | 2 +- ...-8a765743-9caf-4c8a-9c58-6fe2c1993108.json | 26 + ...-8a86ad59-dff1-46dc-8ffd-3c62b96c6e62.json | 33 + ...-8af89a9b-3e95-45f4-a51d-223b1c82db9c.json | 2 +- ...-8b136d10-1fd7-4cd4-a3a7-b648b23adc92.json | 2 +- ...-8b17ad46-b0cc-4766-9cae-eba32260d468.json | 2 +- ...-8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json | 2 +- ...-8b491011-322d-4e0b-8f79-449e1b2ee185.json | 2 +- ...-8b7403f5-90d2-4d2c-a484-87d29f419a9f.json | 38 + ...-8baa4d55-c235-44da-b6fe-8866cf7f9915.json | 2 +- ...-8bfeed6a-a0c6-4f11-81b2-f32225c85ac4.json | 26 + ...-8c1b22bd-7e31-427f-a9c5-085a606212ca.json | 2 +- ...-8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json | 2 +- ...-8ccd5f5c-420a-413b-81ef-5e40f401be95.json | 26 + ...-8d0d6365-7bc0-417d-9268-c7c31fcb0d91.json | 33 + ...-8d7e2aa5-129a-4060-88ae-9fc066af13c7.json | 26 + ...-8da928a0-1c87-471f-aad7-5a1fdd438357.json | 2 +- ...-8dab113a-a713-499b-ba1e-9c2cbeffb3c8.json | 2 +- ...-8ecf5eac-7767-411b-b54a-b374ea51b9e9.json | 2 +- ...-8ed7e323-578c-4a62-bf32-0bf2fefa872b.json | 26 + ...-8f0fa80a-7f8c-4c54-9277-a6f69bafd6af.json | 2 +- ...-8f76d408-be8a-478e-8a5a-aab1d1f96572.json | 2 +- ...-8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8.json | 2 +- ...-8f90363e-2825-4178-807f-9268a28760fa.json | 2 +- ...-8f947e00-2579-4120-a8b0-d466e59fac1a.json | 26 + ...-8fa6fe89-e704-4be4-a15b-50e188084aa3.json | 2 +- ...-8fcecf74-36df-41ab-9476-539c9ac0b339.json | 2 +- ...-8fe2bc4c-e9f7-430d-84d5-e3d603141dcb.json | 26 + ...-90647f03-38a4-4364-a3af-53640a81360e.json | 2 +- ...-908e3fa1-e2b9-475e-b72d-06343a65a3c6.json | 26 + ...-90d9c8e3-0250-4096-8d98-7ca1d324d654.json | 2 +- ...-910bada1-c923-4009-a9ea-da257072f168.json | 26 + ...-91f29477-2ff6-4dbf-bf68-c8825a938851.json | 2 +- ...-92634d06-42e5-407f-bcb7-cafb1ddeafce.json | 2 +- ...-92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json | 2 +- ...-92ea1c2a-3835-43de-bb56-24e937a6f322.json | 2 +- ...-938ff1d4-acce-4e4e-8a9c-be62799dff8e.json | 26 + ...-93c336f2-7e7c-4c79-af16-faae03e66121.json | 26 + ...-93e24e03-6425-4ee8-99bb-c3a662c6cdce.json | 2 +- ...-943a9a5c-7826-451d-ac73-34353ea40595.json | 26 + ...-94654460-b115-4056-beb1-e982ed33437b.json | 2 +- ...-949b498c-ca3f-4704-90bd-a22a4d34067f.json | 2 +- ...-94c903f4-a6c1-40c4-9e9b-0896a5d43b7e.json | 2 +- ...-9515f24c-1c33-4197-b9c9-b9992bc696ca.json | 2 +- ...-956bbc7f-82c2-4097-8b7b-1e9d732c532d.json | 26 + ...-95b12e1a-7f21-4fa0-9b2a-c96c7c270625.json | 38 - ...-966b59c0-8641-432c-84f7-b2a712004d74.json | 2 +- ...-968830b7-ee80-4a6e-96a4-9fc70470e4a9.json | 2 +- ...-968fd463-fec4-4b2d-b3c9-950d8471b9a8.json | 26 + ...-973f5884-a076-413e-ac96-f0bd01375fb6.json | 22 +- ...-97538255-b049-4d15-91c4-6b227cbea476.json | 2 +- ...-97641754-f215-4b8f-b0cd-0d3142053c76.json | 2 +- ...-97756c8a-b702-472b-8d67-15464a73093e.json | 38 + ...-97c5b388-518a-46ec-b2b0-41bfa6a83204.json | 2 +- ...-97df42a5-e6d3-4fb7-a158-c161d14624ab.json | 2 +- ...-97e20860-29d9-4738-a9a8-6cc3e4db23f1.json | 26 + ...-97f42cef-bc2a-47c5-b408-8e38aab4030e.json | 26 + ...-97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319.json | 26 + ...-984992e3-0407-406a-b8dd-c114d8b2d9a2.json | 2 +- ...-98b229f8-6020-4fbb-b104-54fd478c14d9.json | 2 +- ...-98f1d575-a975-42ae-8b00-2c9e22d560d5.json | 2 +- ...-9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json | 2 +- ...-990f944f-190d-456d-b194-f5ecb17a0868.json | 2 +- ...-9951eb11-8140-420d-8e2d-56fbe0ff0134.json | 26 + ...-99c0c90e-8526-41d6-80ca-b037598c6326.json | 2 +- ...-99ec0a8e-4a4f-427c-89db-163e4b206021.json | 2 +- ...-99f84b91-32a1-4ade-8de5-5d2a0359302f.json | 26 + ...-99fa6d92-0c41-44ed-bd30-dd0413785883.json | 26 + ...-9a3e771d-d84f-4f2a-baf9-4478abdbdbcf.json | 26 + ...-9a44b2a8-9f4c-43df-9174-1cba6e165886.json | 2 +- ...-9a607f89-85b8-4fba-8eb7-7e4900ea693f.json | 2 +- ...-9ad74496-e164-4068-a0f5-379f507ba864.json | 2 +- ...-9b0b3c25-d87c-452a-a2f9-241234410eb8.json | 26 + ...-9b412b1f-2dd0-4e7f-8364-f625181ba1db.json | 2 +- ...-9b825e77-2b18-4bc8-8e1d-5f645d570dca.json | 2 +- ...-9ba76ea3-9ebb-49d7-803a-5cf2deef6875.json | 26 + ...-9c0db354-c2d6-4db0-bb76-35ae66c01dd1.json | 26 + ...-9c23121e-14bb-4382-b54d-2ea02a2815b5.json | 26 + ...-9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json | 2 +- ...-9cf83701-a347-47b4-a67b-280df95b275d.json | 2 +- ...-9d4be020-4ab0-4f10-9a20-ae8a2886038f.json | 2 +- ...-9d5b9b9c-058f-4782-80aa-9d501442a03d.json | 2 +- ...-9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json | 2 +- ...-9d75333b-2542-4899-923f-55dc1e077a51.json | 2 +- ...-9d9cd365-8cfe-403f-8ecb-3c23650c13c3.json | 2 +- ...-9db1ecfe-72eb-42da-a09e-746663a53854.json | 2 +- ...-9e0810a5-ad02-487f-b0a8-bf07decca493.json | 2 +- ...-9e8990f9-475b-43fe-91fb-25cc0634f0aa.json | 2 +- ...-9e98d88c-4138-4d0e-8db0-cddf956ab500.json | 26 + ...-9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json | 2 +- ...-9f25cdae-7d0f-49cd-acaf-481f71195ae5.json | 2 +- ...-9f2926a2-596f-459e-827e-6fe2d4646efd.json | 26 + ...-9f43126d-5f6c-42a9-9908-49175c27ead7.json | 2 +- ...-9fa6797f-f2cb-4b93-b8eb-f40936e967f3.json | 26 + ...-9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a.json | 2 +- ...-9fb8c8ab-67de-42df-a82d-b6e45b82d949.json | 33 + ...-9ffbf620-8e1f-4542-a271-9a3692db9a47.json | 26 + ...-9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea.json | 2 +- ...-a04169ed-c16b-466b-80ef-22a11067f475.json | 2 +- ...-a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json | 2 +- ...-a1383f2a-2ee2-47df-a661-8904a7535e0c.json | 2 +- ...-a1454196-0d86-49f2-8dcb-61145a16b21e.json | 2 +- ...-a15d718f-af30-4745-a837-887ba8f48727.json | 26 + ...-a1cbbdb5-30ad-4139-9784-e5a134f8d405.json | 2 +- ...-a1d2df14-6f44-44ac-99c2-3e3f55f53476.json | 26 + ...-a1d99bbc-8d7c-4263-a909-95a9507b43c3.json | 26 + ...-a2142552-6b8d-4751-a3d4-1471420c02fc.json | 2 +- ...-a221bbb3-5f4f-4879-ae1d-37e8d3022039.json | 26 + ...-a22fabd2-836e-4141-9219-c76cc10138ec.json | 2 +- ...-a23aefa6-15f5-481c-ac3d-09b8e4b3003b.json | 26 + ...-a287bc05-20cb-4476-ba1f-15bfde6e601d.json | 26 + ...-a28ecd81-a7dd-404c-9d7b-ce670b0fc83b.json | 2 +- ...-a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9.json | 26 + ...-a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7.json | 26 + ...-a45cec05-2d81-4db1-9267-db8be498e0d2.json | 26 + ...-a466d5b4-39f0-48c1-9a19-f006dc4cb0ac.json | 26 + ...-a46f722e-4399-4aa6-b0a9-61fae9d0bf63.json | 26 + ...-a47cd7b9-2b73-480c-a8ab-2dfa908e02ea.json | 2 +- ...-a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5.json | 26 + ...-a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json | 2 +- ...-a57b233b-6613-4f78-aa48-e85518aaa7cf.json | 38 + ...-a618d7e4-23f0-4b8c-9f09-78d04ea7fc55.json | 2 +- ...-a6479493-6154-408f-90df-9d2f3ae352d1.json | 2 +- ...-a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json | 2 +- ...-a6d8b66d-fc10-404f-b0ae-e8c66506b818.json | 2 +- ...-a6e9bbe1-3e59-45c0-987a-b5354d602dc7.json | 26 + ...-a717ccc7-0fe6-4a83-951f-5a89037ed927.json | 2 +- ...-a731ad54-0c3c-47bb-9559-d99950782beb.json | 2 +- ...-a74c14e2-eb8a-47bb-b64d-20aad9154297.json | 2 +- ...-a75ddacf-e87e-4a99-83f2-618486473163.json | 2 +- ...-a78e727c-8e42-448c-beb4-463804e18be0.json | 2 +- ...-a7a2790e-d5ba-4a46-bde3-c698c6ae52ac.json | 26 + ...-a7a4b080-e4a6-4c46-b2c7-84119df76393.json | 2 +- ...-a7ca9443-f833-4636-9c30-fcaddd3516c6.json | 2 +- ...-a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json | 22 +- ...-a7fb3abd-c800-408e-8329-2a4f6256ea4a.json | 2 +- ...-a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json | 2 +- ...-a82e9f8a-f81e-407a-b284-e0ae5f055c61.json | 2 +- ...-a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json | 2 +- ...-a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json | 2 +- ...-a84dd2f5-d4f4-44c1-ba51-4804f40576e1.json | 26 + ...-a86cee0a-dc49-4c95-b5dc-37405337490b.json | 2 +- ...-a91002fe-21b2-4417-9c23-af712a7a035c.json | 22 +- ...-a91295dc-b381-4dc9-9384-9f9949066778.json | 26 + ...-a93ba793-24dd-47dd-b32c-4c3016124c90.json | 26 + ...-a946c9b1-5b89-44c9-b617-3412ffda34b9.json | 2 +- ...-aa205915-7571-47ee-8bc6-5aa1ace86690.json | 2 +- ...-aa726ced-f2ac-4113-8d05-8687b7d7ff91.json | 2 +- ...-aa7a0f45-e027-4d79-8413-5d807f44c1ba.json | 26 + ...-aaacfa83-033f-4555-ba6b-ecc7692a25aa.json | 2 +- ...-aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca.json | 2 +- ...-ab0b5170-577b-491e-8508-b9a34dc393c1.json | 2 +- ...-ab306654-2abb-4983-8d30-df4058adb06c.json | 2 +- ...-ab5c9a38-3140-43b6-bcf4-6197a116cd0b.json | 26 + ...-ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json | 2 +- ...-ab844cd2-0f56-44f9-9838-cd5f04d75f3e.json | 26 + ...-ab8bf0a3-0eef-4364-a3f9-f6ab6222afed.json | 26 + ...-ab8e129c-5411-4784-9194-068fa915da23.json | 2 +- ...-ac63d227-ff8a-43b8-81ef-ec4c046c4291.json | 26 + ...-ac933d76-8207-4bf7-add2-92b60cf3044b.json | 26 + ...-acace658-da7e-4a19-aa98-8aec8c966dde.json | 33 + ...-ad7770c3-fe24-4285-9ce2-1616a1061472.json | 2 +- ...-ad77a940-150c-4d73-bf5a-1df2d9436f9c.json | 2 +- ...-ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json | 2 +- ...-adb41ca8-7d2a-4025-b673-db44c9e1f16b.json | 26 + ...-ade12d27-13bb-4ebf-be08-7039cf699682.json | 2 +- ...-adf2072c-0341-4fc2-9d25-495b4af864e9.json | 2 +- ...-ae10e97a-90ac-498b-8601-01081dc4af8b.json | 2 +- ...-ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc.json | 26 + ...-ae7487f1-a2d0-443d-b418-cd726c5ac15f.json | 2 +- ...-ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c.json | 2 +- ...-af20f409-05ed-42c3-ae3e-09b047b84875.json | 26 + ...-af24e067-966d-41f8-b1ea-5a6e11ff1a2a.json | 2 +- ...-af25cacc-6b1a-47d2-8e13-cb2a7e92b379.json | 26 + ...-af802091-fee7-4d15-a845-fb4ee3c26d6d.json | 26 + ...-afb0b60e-e604-4b96-abb9-57fdce4e5108.json | 2 +- ...-afd63145-6033-49e4-ad43-d0b35fa5ed88.json | 2 +- ...-afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1.json | 26 + ...-aff2fb40-9ef5-42c9-bc7a-4939b509fbf1.json | 26 + ...-b064068a-9e17-4ac8-9a92-a1338d7196c7.json | 2 +- ...-b07e6896-a840-49a1-8d58-94396a902b95.json | 2 +- ...-b0945f9b-5608-472e-ad70-7b42c3e062a1.json | 26 + ...-b0f137d8-3c56-4f6c-9d59-1ec231d61391.json | 2 +- ...-b0fe8a56-cb76-4d79-9ba9-9358ef08aa08.json | 2 +- ...-b116fcca-e872-4735-b7e2-4e4c8e34621a.json | 2 +- ...-b13417ea-d8da-497f-818f-d2d90562039a.json | 2 +- ...-b1768154-221c-48be-ab2b-549ec1eddafb.json | 2 +- ...-b182692b-5eb3-4edc-b455-1f92d64b98ec.json | 2 +- ...-b1921480-8499-46a9-8396-2a2d747c5861.json | 26 + ...-b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json | 2 +- ...-b21e0340-976d-44b2-94ae-f777199993c6.json | 26 + ...-b252a076-6d4e-49f5-95ac-16264ef05b1d.json | 2 +- ...-b289c971-3fb7-4c3c-b3d6-cf2702b9384a.json | 26 + ...-b2d4989c-e2d1-40c4-b1d8-07834a71f26f.json | 33 - ...-b2defaaf-625d-416e-8a9d-8be6d89bacdc.json | 2 +- ...-b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json | 2 +- ...-b2e8914a-91bc-42df-8b64-22e5365ede6f.json | 26 + ...-b33f2abc-a218-425b-9a90-b75445b7e142.json | 26 + ...-b343e131-e448-46c6-815b-b86e4bd6d638.json | 2 +- ...-b346eec8-de90-407c-b665-387086bb4553.json | 2 +- ...-b349ef5f-4a05-4eef-afe4-1543b8c832fa.json | 2 +- ...-b352884f-2a60-41c6-b348-0bbb5859802a.json | 26 + ...-b363cbbb-679c-47e0-8ad0-af98ebf51e60.json | 2 +- ...-b37844c1-0338-44f6-9116-48fa0f079913.json | 26 + ...-b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json | 2 +- ...-b3aab26c-09c6-4264-af2a-5df260d3d8e2.json | 26 + ...-b3b24837-83ed-46c5-ba80-66a832c7072e.json | 2 +- ...-b401f65c-5324-4fc0-8fce-0aa2ebf1f919.json | 2 +- ...-b411f748-a1e9-40c6-8eb3-72f2de4dab08.json | 26 + ...-b452a076-6d4e-49f5-95ac-16264ef05b1d.json | 2 +- ...-b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json | 2 +- ...-b48a9fea-26a5-473c-9a5d-fcc3531e1fd3.json | 2 +- ...-b48be9f9-de0e-4548-ade3-09d47af52798.json | 2 +- ...-b4b698a7-b80e-41f6-8ca2-a954270cceb3.json | 2 +- ...-b4bb8bd7-8984-45de-888f-45c51ab157fa.json | 26 + ...-b4efcbe0-ffe3-4d9a-8dba-570e68494af1.json | 2 +- ...-b5979643-fefb-460f-b59c-971efe95f121.json | 2 +- ...-b59a96e4-bd70-4459-9609-66563bccd9c3.json | 26 + ...-b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json | 2 +- ...-b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json | 2 +- ...-b5e52859-8dab-4e7e-af70-bb38c6993c98.json | 2 +- ...-b628d878-4f35-4580-8d42-26984d13821e.json | 2 +- ...-b6309476-8268-4c47-920b-8a556cd8ae4c.json | 26 + ...-b69905bd-6865-4092-9543-47bd9ae318ec.json | 26 + ...-b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json | 2 +- ...-b7284360-0d80-45bb-8486-263ae8f8fa63.json | 26 + ...-b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json | 2 +- ...-b7344dfb-621b-4558-ab22-6c1f256ee746.json | 26 + ...-b774fcb4-43bf-4ff1-98c6-0a94838eacc2.json | 26 + ...-b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544.json | 2 +- ...-b7a9bff5-2e15-4d3d-ac88-84af1239a586.json | 26 + ...-b7f23af2-e948-4531-af56-1a1b4d03702f.json | 2 +- ...-b84e1473-f370-42ad-ac3b-7caf3c8cd00e.json | 26 + ...-b8b1739d-dfa2-44e9-907f-7085e262512f.json | 2 +- ...-b8d484f3-85e7-4208-8ae4-72f0e055a290.json | 2 +- ...-b8d6e550-18fe-49ad-9964-7802bbe0cb58.json | 2 +- ...-b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json | 2 +- ...-b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json | 2 +- ...-b960c5ed-1ea8-4dde-9203-c02d291d3bc6.json | 2 +- ...-b9632b4d-43c3-4bfa-88e0-629245acb8eb.json | 2 +- ...-b9e82422-b072-494f-99c1-fcab07b90133.json | 2 +- ...-ba010007-6dde-4c9d-8452-69527cd1c2ba.json | 2 +- ...-ba496af3-2d99-4c2b-8ce0-20388f5d632c.json | 26 + ...-ba943eeb-5673-44b5-acbf-1cddc2fefb1a.json | 26 + ...-bac1f95c-87bf-4939-bc1a-7727aad738f7.json | 26 + ...-baf4bd30-4213-43c3-b70c-54418e734caf.json | 2 +- ...-baf7daf3-2116-4051-91b5-f82e146167d0.json | 2 +- ...-bb3938a6-85ec-4f34-8bcd-6051de7e9259.json | 26 + ...-bbeb2eae-7da2-4477-ad8e-8c67b00c53bc.json | 26 + ...-bbf297d3-0c3c-44be-b780-332bac17b0ba.json | 2 +- ...-bc3744d6-9275-4d91-8888-16d5f4d5187b.json | 2 +- ...-bc383819-2e40-49b4-bea9-95eb5d418877.json | 2 +- ...-bc3a0b1f-f0ec-466f-8cad-8f47b07764c9.json | 26 + ...-bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json | 2 +- ...-bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f.json | 2 +- ...-bcece7ce-91b5-40b3-b87a-25cab3600e5c.json | 2 +- ...-bd7509cc-a7e5-4e29-b615-225dfbdd3c4a.json | 26 + ...-bd869385-5778-4303-8993-cc6412d12303.json | 26 + ...-bda03e8d-5e06-4470-b786-11b11c7c97c7.json | 2 +- ...-bde941c6-2ca0-4f94-9336-027e7eee15a1.json | 2 +- ...-be0f7d83-2441-4259-b411-46e0d10566b1.json | 26 + ...-be532c78-daf5-431b-adae-ab11af395513.json | 2 +- ...-be950e87-80ac-49ea-810a-553c7f72151b.json | 2 +- ...-beafc44c-228f-4a7e-9d92-ac1b16d730e2.json | 26 + ...-bf5356b1-d00e-43c3-ba92-ae504a737d76.json | 26 + ...-bf75ca96-3f9d-413c-a244-888a3fbf0be3.json | 2 +- ...-bf8e68fe-1969-48d1-be0e-ec742378748d.json | 26 + ...-bf8f90a2-4d3a-436d-87d0-eff060fb2302.json | 26 + ...-bf9f227c-e306-4257-add1-39c7c2e42040.json | 26 + ...-bff99f91-e1a9-4379-a2d9-5a99615a95d1.json | 2 +- ...-bffad8de-a807-4216-9753-008a87d9d77f.json | 26 + ...-c047df7c-3ed7-455f-8b13-14ced8e93fef.json | 26 + ...-c0efb24a-2329-401a-bba6-817f2867bb3f.json | 2 +- ...-c1154a56-6f5f-4760-8b34-79b0e8a79c1f.json | 2 +- ...-c11a95c2-6e9d-4d90-b6ab-20227869f2e4.json | 2 +- ...-c195a0e9-d46c-487f-9a96-b138e9ca05d2.json | 2 +- ...-c1d77f83-23ec-4128-afd1-ed8ea12281a2.json | 26 + ...-c1e051ab-0a11-4d29-b98f-aa442ab69553.json | 26 + ...-c2168fe8-be19-4df5-808e-ed87c9c0e1c5.json | 26 + ...-c22acaab-baa4-45b0-9c4b-9330715e5455.json | 33 - ...-c233df49-e450-4151-8a0f-1765faf3d75a.json | 26 + ...-c2484b15-7dd0-4280-8898-a6a7da6f0ca2.json | 2 +- ...-c27e676e-1ac0-4ec8-bf9d-f540969c6b6f.json | 26 + ...-c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json | 2 +- ...-c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json | 2 +- ...-c37f097a-9698-412f-9e96-4d350bcd2790.json | 26 + ...-c39be68a-e208-47ac-a7be-6eb6e84d6608.json | 26 + ...-c4122b58-f1b2-4656-a715-55016700bf75.json | 2 +- ...-c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b.json | 26 + ...-c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa.json | 2 +- ...-c4718fa2-2592-44b0-87d0-f866c118a779.json | 26 + ...-c473686a-2452-4ee6-bf1d-54bf3e575d95.json | 2 +- ...-c4a50132-a210-4093-878d-3d6df23ed26e.json | 26 + ...-c4b036ee-be86-48cb-9f01-ab8f78e5bb37.json | 26 + ...-c4e8dd42-9855-4a36-b915-dc7e1a91e235.json | 2 +- ...-c58563a8-d757-4476-8ae2-beb2acce38b3.json | 26 + ...-c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json | 2 +- ...-c5a69738-3e80-421d-aba2-bdab8a4029fd.json | 26 + ...-c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json | 2 +- ...-c5fd0969-c151-4849-94c2-83e2e208cff7.json | 2 +- ...-c63c35c2-a402-4d0d-bf25-f48eb9b379c1.json | 2 +- ...-c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json | 2 +- ...-c6520346-fe47-44ce-af75-d99004ac2977.json | 2 +- ...-c6562519-81c5-4eca-a815-f46ac0ed4bcc.json | 2 +- ...-c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36.json | 26 + ...-c664bb6c-59f0-4b31-bbb4-ef66fca933d4.json | 2 +- ...-c67e3535-69a9-4234-8170-4ad6efc632b7.json | 2 +- ...-c69eab3c-861c-45f5-8858-a595fcc7e6f6.json | 2 +- ...-c6a05c20-02d4-42ce-ad5c-280c604e13d8.json | 26 + ...-c726e8af-9b98-4ce9-b8f4-3e82e59d5374.json | 2 +- ...-c785c026-4139-4c56-a6dd-cdd3ba75bab1.json | 2 +- ...-c78f497f-01c3-4efb-aa74-92b700b9c02b.json | 2 +- ...-c7a1037f-cb28-40d4-be19-78e2f0e0aa68.json | 2 +- ...-c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json | 2 +- ...-c84e39ab-30c1-40e3-95a8-fcbb271e913c.json | 2 +- ...-c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json | 2 +- ...-c8dd2735-bd04-4413-847d-316b77c6de19.json | 2 +- ...-c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a.json | 33 + ...-c9065f74-556d-4728-8072-f96642e70316.json | 2 +- ...-c90cfddb-253b-41c8-9057-2abde6f8aa6d.json | 2 +- ...-c9395e2a-afaf-427c-bcb2-ae663d72c05c.json | 2 +- ...-c95850f4-4616-435c-b237-f1985833d40e.json | 26 + ...-c9fb4adb-8064-426a-838d-c93674fb380b.json | 26 + ...-ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69.json | 2 +- ...-ca13a117-aae0-4802-878b-c09f4a04dd31.json | 26 + ...-ca3c4d4b-cf53-4489-904f-8a220e421aeb.json | 2 +- ...-ca5c7ae7-5273-4888-bc50-183d6e200972.json | 2 +- ...-ca64a927-f050-41b3-80d3-93d22cdef26a.json | 2 +- ...-ca768c2a-0f14-471c-90a5-bce649e88d51.json | 2 +- ...-cad91f87-7cc7-4771-8c7b-1599793ed3c1.json | 2 +- ...-cb1037c1-4b83-4a79-ba12-00558bb6b42b.json | 2 +- ...-cb30d507-edc6-4197-947c-7b3a6e395c0d.json | 22 +- ...-cb38425c-646d-4bc8-bdea-e6cc630c3034.json | 2 +- ...-cb47a3bb-daec-4aa1-9a92-af2a61bb65cd.json | 26 + ...-cb4d802e-df5b-4017-81dd-47f65fff23a3.json | 2 +- ...-cb6d67c0-33ba-4c49-ae70-d0e4f0f68794.json | 2 +- ...-cba8313b-c338-45f7-88ef-a514094882ac.json | 2 +- ...-cbee31a0-716c-4b10-83f0-aa889bfb4749.json | 26 + ...-cc5c77ce-c5a3-4791-b80e-09d35282443a.json | 26 + ...-cca191a1-3c50-4d4f-8f79-4247e58af610.json | 2 +- ...-ccab2b58-7c47-45fe-bdd3-3444fb53760c.json | 2 +- ...-ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json | 2 +- ...-ccbb44ad-2220-4260-99ce-9142c44fc797.json | 26 + ...-ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json | 2 +- ...-cd297a7b-4b02-407e-a798-e36fef4cf3a1.json | 2 +- ...-cd54b7ba-c96c-49c8-90d2-15677efb8fe2.json | 26 + ...-ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035.json | 2 +- ...-ce3aad7e-1e15-40c7-916b-e25a647e9986.json | 26 + ...-ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json | 2 +- ...-ce7c17b7-b60d-4ebd-9014-2c421a64d70a.json | 2 +- ...-cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a.json | 2 +- ...-ceafc04b-b31f-419b-82da-41ce9e1ec6e9.json | 2 +- ...-cf53ff89-3c31-4f8d-83a1-b74dce4c558d.json | 26 + ...-cf703ecc-e9f5-4d56-94d4-8fda9837e614.json | 2 +- ...-cf8a816c-30ee-4147-a48f-d797fb145a04.json | 26 + ...-cf8ac499-8c1c-4615-b933-7587f1b9488b.json | 2 +- ...-cfaead3c-3db5-400f-bd15-dfbc57cf0185.json | 26 + ...-cfcbca89-8912-40c0-ac15-47882162b132.json | 2 +- ...-d02812b2-23c3-4dce-bf94-c6e464e86fab.json | 26 + ...-d03de729-9235-4ceb-a1c0-935e2088020b.json | 26 + ...-d08fdedd-12f6-4681-9167-70d070432dee.json | 2 +- ...-d1388bba-9869-4e3e-a6c9-430784ad924d.json | 33 + ...-d16e8909-d055-4174-aeb1-22c0613b2f73.json | 2 +- ...-d1971b32-3a15-4544-9f36-80c05121deb6.json | 2 +- ...-d1a97502-b41d-40a8-aff5-13367fefc642.json | 26 + ...-d1bd77d4-9f1a-41ee-bf64-0aa7438e6896.json | 26 + ...-d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json | 2 +- ...-d23fd724-563d-4f49-8bcd-09c653728cd3.json | 26 + ...-d2985b8a-7a29-4b57-b2f1-cddd79fe4242.json | 26 + ...-d2a434c7-4428-435e-ae6b-e54012f29606.json | 26 + ...-d2addaa7-0fdf-44e3-9b20-c63b2b4179af.json | 2 +- ...-d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json | 2 +- ...-d3266f04-3453-492d-b9ea-6fb9d0ce3999.json | 26 + ...-d3564f1f-8637-4878-a66a-3e8ea46f7a72.json | 26 + ...-d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json | 2 +- ...-d3d4f469-9847-41ef-a478-5eaf6003d483.json | 26 + ...-d406671b-4d22-4cd5-8568-d04b0b70b51c.json | 2 +- ...-d455330d-f190-4854-8087-4c2c37003b45.json | 26 + ...-d48894cb-457e-4a81-82b4-2d735aea5128.json | 26 + ...-d4968f45-d06b-4843-8f72-6e08beb94cab.json | 2 +- ...-d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json | 2 +- ...-d58d8b19-90bc-4a7f-840d-076be296ff20.json | 26 + ...-d5b532fe-3df9-4f92-a0f0-9c92823cdb6a.json | 26 + ...-d5e908f9-eea1-4e55-a406-f24c5dc74b2d.json | 26 + ...-d611b750-95e5-4f73-8f16-38db0a34a2e0.json | 26 + ...-d648b3c7-77d2-42f3-a367-620621b714ab.json | 26 + ...-d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json | 2 +- ...-d6a8b25c-53d4-4df1-8728-20ed4ba5ddab.json | 2 +- ...-d72e7d01-56be-4fbd-8957-3384533ba83b.json | 2 +- ...-d775a6ed-4a60-41f4-ac06-da86c27cd1de.json | 26 + ...-d7b07d40-fbdb-41e9-b610-57de10fa41e5.json | 26 + ...-d7ea83fa-87c7-4d36-96d5-aee554504040.json | 2 +- ...-d80f9deb-ba2a-4a07-aa23-81c423cf4a18.json | 26 + ...-d8354850-bd4c-4bd9-a585-b107f5f1398f.json | 2 +- ...-d854cc38-adf7-485d-96b5-70606f6cb87e.json | 2 +- ...-d8911566-f622-4a01-b765-514dbbfd8201.json | 2 +- ...-d89d9778-4695-4c97-bf6d-1d0fbabb41fa.json | 26 + ...-d8f45959-e0fc-4b4f-a074-a3acea926300.json | 2 +- ...-d8f95008-33c9-4572-9916-023d8de449b1.json | 26 + ...-d90aeeb6-3686-483a-8403-6514ecfe1a50.json | 2 +- ...-d90b1271-a90d-41c7-9df7-bec47880c82e.json | 2 +- ...-d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json | 2 +- ...-d96788b4-55dd-48df-bb9b-83b33ca24813.json | 26 + ...-d9de58a6-58fd-499c-ba7d-588239297179.json | 26 + ...-d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5.json | 26 + ...-da144dd2-c949-4a7f-8c8d-0cb27c52196a.json | 26 + ...-da771d72-c778-4c9a-acb4-01b5fc3d36c0.json | 26 + ...-da987131-bf37-4730-9914-323879d2b5c3.json | 26 + ...-dac96d76-b9b8-4278-9f5b-62f4992e2ac8.json | 26 + ...-dadfed22-d70c-482b-9026-964396d75484.json | 2 +- ...-db46e84f-435e-4022-b484-e6d2e253660c.json | 26 + ...-db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a.json | 2 +- ...-dbcc492c-782e-4418-8373-dbc7a76498b0.json | 26 + ...-dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json | 2 +- ...-dc15440d-6683-435a-8c87-64daea29bcaa.json | 33 - ...-dc35c44a-a90c-48a1-8811-af2618216e42.json | 2 +- ...-dc46ffc2-eac7-4491-8d2a-46cf8e2e963f.json | 2 +- ...-dd9abe36-1cee-4100-a94f-105d9678fd1f.json | 26 + ...-dda29418-9570-405a-b7db-97e951e5aa53.json | 2 +- ...-dda89758-9d0b-446d-b594-85acc7f9cb90.json | 2 +- ...-dded2d68-35c7-42c4-af10-efe7731673e3.json | 2 +- ...-de8b8a69-5f08-421a-96f0-2bed5707508d.json | 2 +- ...-dead5325-7efe-4dcc-bf78-42b9190f74da.json | 26 + ...-def57041-6bb4-453a-bf04-188b9e97a35d.json | 26 + ...-df321d74-25d6-42da-80e8-3c9a291cb471.json | 26 + ...-df6da4ec-cbe8-4f93-a41f-3726a9491938.json | 2 +- ...-df7b521e-4496-432f-a61d-3094d0c7bc23.json | 26 + ...-df80e2b6-5672-4f26-a19c-a394f3731f24.json | 26 + ...-df95c619-33ee-4484-934a-78857717323e.json | 2 +- ...-df9f5a5b-0662-4904-8e57-bc25c244a6da.json | 26 + ...-dfb20521-91c2-4f55-b92a-dab959759b78.json | 26 + ...-dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json | 2 +- ...-dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb.json | 2 +- ...-e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4.json | 2 +- ...-e09e253c-fd28-49ae-988e-1f80d769e8b8.json | 2 +- ...-e09f3308-57d7-4b2b-b340-784b88ae61ca.json | 2 +- ...-e0aee02c-b424-4781-be10-793d71594c31.json | 2 +- ...-e0d101cc-1284-4e88-82d6-227fe5d19d8a.json | 2 +- ...-e0da1f92-82b1-4096-86c4-1aef58ca89fb.json | 2 +- ...-e1269074-37f4-460b-8a2a-cd26892d4f8e.json | 26 + ...-e1461f8d-6a16-4526-ac0b-0acd27ae8065.json | 2 +- ...-e156609f-c30b-4bf5-8a1b-9689ba778a14.json | 2 +- ...-e17c3b74-69d8-47b2-88d4-adcaf418ab74.json | 26 + ...-e18af08c-3953-4b1d-b46c-45572fdb5187.json | 2 +- ...-e1f28ed0-ec35-4792-ae02-a2d003bd3df4.json | 26 + ...-e257913e-40ba-4a05-ba97-0c3175c966b5.json | 2 +- ...-e323dee4-a896-4a82-85f5-d51d311b0437.json | 2 +- ...-e3923fcf-5580-4c1e-bc55-33f67792cc00.json | 2 +- ...-e3b04152-0c90-41ff-a333-c5163fa9714f.json | 26 + ...-e434db5d-f201-4411-825f-4a50e1e78c75.json | 26 + ...-e49e0138-4247-4f3e-a42c-f0dab2f6ffbc.json | 26 + ...-e4a11381-8608-4c71-966f-df0cbb834fe0.json | 2 +- ...-e4bc29f2-87c8-491d-b51b-d6cede7c1972.json | 26 + ...-e5afc447-a241-4773-9a8a-3d6fd205d926.json | 2 +- ...-e5b62475-bd08-4ac6-a6f7-78f1843bf506.json | 2 +- ...-e5c9aacb-51e3-41d3-995d-9e6ed04a2454.json | 26 + ...-e607bb66-e53f-4684-b3f1-36a997e27d01.json | 2 +- ...-e6af4cbd-1b2e-4733-be57-43a845f465eb.json | 26 + ...-e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json | 22 +- ...-e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json | 2 +- ...-e75f88e6-1ffb-467b-b488-46e91cb3e1e9.json | 26 + ...-e767c178-e4b2-490a-b544-bb1b2d6c7de4.json | 2 +- ...-e79825fb-3bd0-41e7-9bdd-257cd3ab44a2.json | 26 + ...-e83a79df-2555-4b2f-9ade-b9ed2689ae42.json | 26 + ...-e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json | 2 +- ...-e8af0b34-4a67-4966-a34a-c4d1b346ea15.json | 2 +- ...-e8d5ee60-952f-42ff-bf48-7da9cd0fdb23.json | 2 +- ...-e8eaac2d-a4bf-408f-b24f-14471db7059b.json | 2 +- ...-e8ef9bb9-1335-4418-b788-f8220dbbe4c8.json | 26 + ...-e915e12c-3d0c-4f60-b119-9414940abb0b.json | 26 + ...-e95fe824-4df1-49a2-abf7-5d76fb47ef42.json | 26 + ...-e98892d6-e036-4140-adbb-2932dba51a19.json | 26 + ...-e9f5096e-b9fc-459a-a303-88763b1269cc.json | 2 +- ...-ea218d63-d9de-4f63-804a-cb039d804025.json | 33 - ...-ea50253a-3220-458b-b810-ad032f2b182f.json | 2 +- ...-ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a.json | 2 +- ...-ea817c7a-9424-4204-90a5-6f8fb86037be.json | 2 +- ...-eac205a6-271b-4a86-acf3-6f4ddefb82c4.json | 26 + ...-eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json | 2 +- ...-eadb4ca5-ee99-4169-a926-95b1ff82e960.json | 26 + ...-eae674f9-10a2-41e6-9cd3-205af8e69d53.json | 26 + ...-eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json | 2 +- ...-eb06ac7d-117a-48ab-ae3b-8bfa8f332f60.json | 2 +- ...-eb171086-88e1-4f24-bd7e-c3f8b3c3283b.json | 26 + ...-eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json | 2 +- ...-eb5310c6-7500-4b16-8ca7-6678c6232001.json | 26 + ...-ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json | 2 +- ...-ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0.json | 26 + ...-ec105f62-2552-41fa-8b07-619dc1bf9b19.json | 2 +- ...-ecaf20c0-d881-45b4-98f2-a456e07d3643.json | 26 + ...-ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json | 2 +- ...-ed095993-bc85-431e-9621-437143f16d44.json | 26 + ...-ed3ce006-cf41-46f6-bd86-054314c130dc.json | 26 + ...-ed3ef546-566a-46c7-918e-7bfa10d05991.json | 26 + ...-ed66e087-8877-4146-a16a-44cfd144a3d8.json | 26 + ...-ed8b97e2-5966-4844-a636-524541a46e43.json | 26 + ...-edaa6f5c-1b59-4ecb-a20f-716a61cdaccb.json | 26 + ...-edb32a4d-62a3-467c-8dfa-f97f1bcbffc6.json | 2 +- ...-edccbe1f-a07a-405e-9b9a-b247ce3dcc9b.json | 26 + ...-ede2b798-2f39-419e-a7d3-8f0c733af4c1.json | 26 + ...-edf73653-b2d7-422f-b433-b6a428ff12d4.json | 2 +- ...-edfa4bcb-6304-42df-b7c6-8caf480c66f2.json | 26 + ...-ee1a52bc-6c1b-4e2c-b296-173dccbc020a.json | 2 +- ...-ee1bf429-2c7c-4eb6-acca-e758522baf2e.json | 2 +- ...-ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json | 2 +- ...-ee72cc27-2e78-47c4-8786-1351f9bcee97.json | 26 + ...-ee89466e-0655-4217-844d-fb8ea4f76247.json | 2 +- ...-eebae2f3-aaa1-4410-8b75-db5bdac1d4d6.json | 26 + ...-eecca3e7-4db5-40d4-b04c-13f84701acb3.json | 2 +- ...-eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json | 2 +- ...-eeeb83cb-0a8a-412b-aae2-aede7c43d8e8.json | 26 + ...-eeeff03f-7436-4f76-8591-42075e6647d4.json | 2 +- ...-ef60735b-c64b-465c-9e5f-46a4d3a49fb3.json | 26 + ...-ef615d62-fe85-4740-9c5d-5dddff9b5693.json | 2 +- ...-efb80069-e4be-4055-bd34-06d1376b4601.json | 2 +- ...-eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0.json | 26 + ...-f05a2592-00f9-4f1f-ba55-395af5444b96.json | 26 + ...-f08d487a-7837-48f9-9301-fe0f9f144c92.json | 26 + ...-f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json | 2 +- ...-f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json | 2 +- ...-f0c8a954-c1a0-453a-9c1d-484305abdab2.json | 2 +- ...-f0d4d23c-2c8c-4731-9b81-7c86fed25b5d.json | 26 + ...-f10611e9-4812-4780-a1d5-0ad537dd95fb.json | 26 + ...-f130282b-f681-455f-966b-55829842be92.json | 2 +- ...-f13dac1a-090b-40c6-9093-eb4abe0deba8.json | 26 + ...-f145b7e5-048b-46e7-8439-e2b88917523c.json | 2 +- ...-f15f24d2-e581-46ce-83e4-a924f572aae6.json | 2 +- ...-f19c34b2-ef3a-4581-b604-6639f501e32f.json | 26 + ...-f1edb034-6dc6-4d6c-8f75-e2cd12213704.json | 26 + ...-f20d8eed-b517-4297-b32a-9a5e0845de9f.json | 2 +- ...-f29ecf69-1753-44bb-9b80-1025f49cadda.json | 2 +- ...-f2e6103d-ca06-45c4-8fe9-049687fc4361.json | 2 +- ...-f2e672bb-8c73-4066-94d8-7dfb9a8025a7.json | 2 +- ...-f347b4fe-d829-427d-851a-fff3393441db.json | 2 +- ...-f353e8ec-0766-4fbd-86b7-9ea06b52958b.json | 26 + ...-f3810d69-0eff-4d62-bdf1-2870cf676bba.json | 2 +- ...-f40cc6f5-111c-418f-aa84-50d920fa6c48.json | 2 +- ...-f45c2df8-30e7-45d0-8067-7b2870767574.json | 2 +- ...-f497fd3e-8f05-4db2-97cc-48a8d35a8827.json | 2 +- ...-f4afb180-4b30-4ed1-b094-3d74d8fd0cf1.json | 26 + ...-f4f98ce1-d0b8-4699-b602-33a6a6ffca67.json | 2 +- ...-f531e763-3550-40ba-a6a1-81e208ca12c6.json | 26 + ...-f5621ad9-c905-42e3-b59b-e0ae7b9051c7.json | 26 + ...-f584a257-c22a-434b-aa2d-6220987821ab.json | 2 +- ...-f5c91d82-5f7c-4e40-a85a-4f1909ae5545.json | 26 + ...-f5c9f641-a498-46b5-9068-39502db53cfd.json | 26 + ...-f61944a4-fef5-4989-bc3d-68f86e65d7d4.json | 26 + ...-f61e474c-d7be-411e-a30e-0a1ef872fe51.json | 26 + ...-f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json | 2 +- ...-f65fa052-5ad0-4fc3-b579-ee33d1225659.json | 26 + ...-f664bf42-5fb2-41e5-b790-978ddf866da3.json | 2 +- ...-f691dde5-bb2d-411b-a381-b33e0ab673d6.json | 26 + ...-f6ff74c2-d088-4252-a8e0-189574863765.json | 2 +- ...-f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json | 2 +- ...-f7215c1f-7bd7-41bd-8466-76caac225c7c.json | 26 + ...-f72a7a30-bab4-445b-b226-d5c3cd1a5846.json | 26 + ...-f7bdbc1f-d08c-48a0-a474-a79b91526138.json | 26 + ...-f7c5bd1b-c596-41b2-b415-2bf5179667df.json | 38 + ...-f8318ac4-8ed0-478d-be87-faa2c9d8a740.json | 2 +- ...-f8456c9b-a4a5-4f13-94e3-54c787b21089.json | 26 + ...-f862418a-e7b4-4783-8949-7145f3dee665.json | 2 +- ...-f86bde61-c4ec-4d40-9768-32e9b52c1702.json | 2 +- ...-f8cf3800-6521-41d9-b272-d6ba2db0ccd2.json | 2 +- ...-f92764db-a880-4726-9d28-a035170f790c.json | 26 + ...-f951d934-d555-45e9-a564-27b84518cae4.json | 2 +- ...-f9625775-662c-425e-9ea0-6cb3f3bf5c3c.json | 2 +- ...-f9907fb1-976b-4f51-ac13-b45f2ff9452b.json | 26 + ...-f9aa3364-a1eb-4776-ae03-c39b250545a0.json | 2 +- ...-f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json | 2 +- ...-fa1bde35-63d9-4c5c-969b-2c17c29089fa.json | 2 +- ...-fac4bc88-af9b-4eec-b041-e4138b49c3c0.json | 26 + ...-fad25140-73de-40d5-a010-3464188db973.json | 26 + ...-fadbdca3-3c98-497c-a156-e53b89664359.json | 26 + ...-fb80368e-b3f6-4fa3-828b-b1cf792ea161.json | 2 +- ...-fc189fa0-1235-46ac-a802-f226dc0ec4e1.json | 26 + ...-fc1d3924-3210-4ca6-b3cc-a7a525eab47c.json | 2 +- ...-fc3d0a84-e7c7-415c-ae47-42bc513e9bf9.json | 2 +- ...-fc4803cb-d6bf-4674-bf40-d4b0997824ba.json | 2 +- ...-fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d.json | 2 +- ...-fcb7733f-553d-43de-a8c6-c85a5cd65041.json | 2 +- ...-fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json | 2 +- ...-fd0340cc-6105-4abd-89d0-60b0d9c00b55.json | 2 +- ...-fd3bc308-82cd-49c9-a41e-9b19ce04b3cd.json | 26 + ...-fd856176-396c-4121-9754-35e49bfa5758.json | 2 +- ...-fdc20415-c9a1-405e-80af-3d297894e8fa.json | 26 + ...-fe22637e-7187-4990-b24a-5dc851eec736.json | 2 +- ...-fe22f626-ddf3-4d5e-97d1-058878d7830f.json | 26 + ...-fe265dd7-2c1a-4c75-8aa8-12d0c82c7926.json | 26 + ...-ff021e27-63be-41f4-bc4d-2ce75d8a3ecb.json | 26 + ...-ff107632-751b-4efb-86bd-af670b48d35d.json | 26 + ...-ff3f0668-98df-44c1-88c2-711f05720eb8.json | 2 +- ...-ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json | 2 +- ...-0804f037-a3b9-4715-98e1-9f73d19d6945.json | 63 + ...-14932ed5-1098-4cc1-9f57-159ab7366787.json | 56 + ...-1769c499-55e5-462f-bab2-c39b8cd5ae32.json | 44 + ...-2b676abd-8263-49ea-81a4-78a7e1f776fe.json | 58 + ...-3a95f7e4-4877-4967-b2e8-e287976c3e64.json | 55 + ...-68388d4f-8138-420b-be2b-5a7dfe9ff6b4.json | 59 + ...-69d1b1ef-e918-4cfd-9a98-29debd04cb32.json | 64 + ...-75f810ad-b678-4c57-b93b-fdc79bba0c04.json | 54 + ...-973bc51e-c41e-4cec-ac03-9389c71f3d0d.json | 41 + ...-986c455b-0f43-42b6-8360-33ac48bd9990.json | 59 + ...-dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5.json | 45 + ...-e2c3336a-dd93-44d6-8246-f93cf132c499.json | 42 + ...-ecb81a8b-022e-4529-a404-55cffca7d3a3.json | 78 + ...-f1315d02-9118-4e3b-8cdf-4c2d3f77ce41.json | 61 + ...-1177a4c5-31c8-400c-8544-9071166afa0e.json | 2 +- ...-181a9f8c-c780-4f1f-91a8-edb770e904ba.json | 2 +- ...-235b7491-2d2b-4617-9a52-3c0783680f71.json | 2 +- ...-2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json | 2 +- ...-3772e279-27d6-477a-9fe3-c6beb363594c.json | 2 +- ...-39b9db72-8b48-4595-a18d-db5bbba3091b.json | 2 +- ...-3d20385b-24ef-40e1-9f56-f39750379077.json | 2 +- ...-3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json | 2 +- ...-4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json | 2 +- ...-4dcd8ba3-2075-4f8b-941e-39884ffaac08.json | 2 +- ...-5297a638-1382-4f0c-8472-0d21830bf705.json | 2 +- ...-61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json | 2 +- ...-639e87f3-acb6-448a-9645-258f20da4bc5.json | 2 +- ...-66531bc6-a509-4868-8314-4d599e91d222.json | 2 +- ...-685f917a-e95e-4ba0-ade1-c7d354dae6e0.json | 2 +- ...-74fa567d-bc90-425c-8a41-3c703abb221c.json | 2 +- ...-7b375092-3a61-448d-900a-77c9a4bde4dc.json | 2 +- ...-84572de3-9583-4c73-aabd-06ea88123dd8.json | 2 +- ...-8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json | 2 +- ...-931b3fc6-ad68-42a8-9018-e98515eedc95.json | 2 +- ...-9bde2f9d-a695-4344-bfac-f2dce13d121e.json | 2 +- ...-9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json | 2 +- ...-9ce98c86-8d30-4043-ba54-0784d478d0b5.json | 2 +- ...-9d56be63-3501-4dd3-bb5f-63c580833298.json | 2 +- ...-9f387817-df83-432a-b56b-a8fb7f71eedd.json | 2 +- ...-a7f22107-02e5-4982-9067-6625d4a1765a.json | 2 +- ...-a953ca55-921a-44f7-9b8d-3d40141aa17e.json | 2 +- ...-b05a614b-033c-4578-b4f2-c63a9feee706.json | 2 +- ...-b9d031bb-d150-4fc6-8025-688201bf3ffd.json | 2 +- ...-c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json | 2 +- ...-da85d358-741a-410d-9433-20d6269a6170.json | 2 +- ...-e905dad2-00d6-477c-97e8-800427abd0e8.json | 2 +- ...-ee575f4a-2d4f-48f6-b18b-89067760adc1.json | 2 +- ...-f42df6f0-6395-4f0c-9376-525a031f00c3.json | 2 +- ...-f5468e67-51c7-4756-9b4f-65707708e7fa.json | 2 +- ...-faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json | 2 +- ...-0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json | 2 +- ...-0f42a24c-e035-4f93-a91c-5f7076bd8da0.json | 2 +- ...-12c1e727-7fa4-49b6-af81-366ed2ce231e.json | 2 +- ...-1b8c9f31-ad35-4850-bf8c-80c565ad3552.json | 2 +- ...-40269753-26bd-437b-986e-159c66dec5e4.json | 2 +- ...-4358c631-e253-4557-86df-f687d0ef9891.json | 2 +- ...-509ed41e-ca42-461e-9058-24602256daf9.json | 2 +- ...-61bbbf27-f7c3-46ba-a6bc-48ae76928065.json | 2 +- ...-73691708-ffb5-4e29-906d-f485f6fa7089.json | 2 +- ...-b1717cb4-d536-4e2b-b5e5-07e67e26183c.json | 2 +- ...-ba27545a-9c32-47ea-ba6a-cce50f1b326e.json | 2 +- ...-c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json | 2 +- ...-c9ddfb51-eb45-4e22-b614-44ac1caa7883.json | 2 +- ...-ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json | 2 +- ...-d710099e-df94-4be4-bf85-cabd30e912bb.json | 2 +- ...-e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json | 2 +- ...-f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json | 2 +- ...-575f48f4-8897-4468-897b-48bb364af6c7.json | 2 +- ...-298fe907-7931-4fd2-8131-2814dd493134.json | 2 +- ...-33752ae7-f875-4f43-bdb6-d8d02d341046.json | 2 +- ...-51c25a9e-8615-40c0-8afd-1da578847924.json | 2 +- ...-696af733-728e-49d7-8261-75fdc590f453.json | 2 +- ...-69da72d2-f550-41c5-ab9e-e8255707f28a.json | 2 +- ...-77542f83-70d0-40c2-8a9d-ad2eb8b00279.json | 2 +- ...-78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json | 2 +- ...-93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json | 2 +- ...-97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json | 2 +- ...-b2a67b1e-913c-46f6-b219-048a90560bb9.json | 2 +- ...-ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json | 2 +- ...-ff048b6c-b872-4218-b68c-3735ebd1f024.json | 2 +- 1577 files changed, 44838 insertions(+), 20219 deletions(-) create mode 100644 ics-attack/campaign/campaign--46421788-b6e1-4256-b351-f8beffd1afba.json create mode 100644 ics-attack/relationship/relationship--007a2c53-fc5c-4750-aff0-defb282e178a.json create mode 100644 ics-attack/relationship/relationship--00b9e63b-57a7-408e-83d6-fc03535010a6.json create mode 100644 ics-attack/relationship/relationship--011f1d16-c9f1-48ac-94f1-165466c155f8.json create mode 100644 ics-attack/relationship/relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd.json create mode 100644 ics-attack/relationship/relationship--01335508-22bb-4185-a7e2-49ec9bee6423.json create mode 100644 ics-attack/relationship/relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0.json create mode 100644 ics-attack/relationship/relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124.json create mode 100644 ics-attack/relationship/relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50.json create mode 100644 ics-attack/relationship/relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c.json create mode 100644 ics-attack/relationship/relationship--033b4401-261f-498b-89f3-2bad9ff5907a.json create mode 100644 ics-attack/relationship/relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57.json create mode 100644 ics-attack/relationship/relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361.json create mode 100644 ics-attack/relationship/relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863.json create mode 100644 ics-attack/relationship/relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e.json create mode 100644 ics-attack/relationship/relationship--076bfea6-309e-4804-a147-dffe93983481.json create mode 100644 ics-attack/relationship/relationship--07e06d21-e666-4274-838a-ef9996fdc0cd.json create mode 100644 ics-attack/relationship/relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44.json create mode 100644 ics-attack/relationship/relationship--0951222a-42d1-4635-bb12-5285bc6500e0.json create mode 100644 ics-attack/relationship/relationship--095456bc-898b-4c76-a062-ff0ea90aeab4.json create mode 100644 ics-attack/relationship/relationship--096c3136-dac9-4729-98c0-c8d870f2bd13.json create mode 100644 ics-attack/relationship/relationship--09e0c991-1707-431b-a0fd-fd8215e6d552.json create mode 100644 ics-attack/relationship/relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6.json create mode 100644 ics-attack/relationship/relationship--0a421699-f013-49f4-9d9f-01d95d210510.json create mode 100644 ics-attack/relationship/relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a.json create mode 100644 ics-attack/relationship/relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91.json create mode 100644 ics-attack/relationship/relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42.json create mode 100644 ics-attack/relationship/relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f.json create mode 100644 ics-attack/relationship/relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b.json create mode 100644 ics-attack/relationship/relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016.json create mode 100644 ics-attack/relationship/relationship--0c72593d-fcc6-4023-8771-bed5e243310e.json create mode 100644 ics-attack/relationship/relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8.json create mode 100644 ics-attack/relationship/relationship--0d52eea3-394e-492b-944b-9ccb6348329d.json create mode 100644 ics-attack/relationship/relationship--0d8e0324-ba8e-4712-a123-60377afe94da.json create mode 100644 ics-attack/relationship/relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136.json create mode 100644 ics-attack/relationship/relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954.json create mode 100644 ics-attack/relationship/relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29.json create mode 100644 ics-attack/relationship/relationship--0f5295ce-d705-4541-8dda-c569b126d103.json create mode 100644 ics-attack/relationship/relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72.json create mode 100644 ics-attack/relationship/relationship--106530e1-375a-4ac4-befb-8297b3b05610.json delete mode 100644 ics-attack/relationship/relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5.json create mode 100644 ics-attack/relationship/relationship--11840b30-f0d1-4df5-a960-cdb80749c32a.json create mode 100644 ics-attack/relationship/relationship--11a82651-4d69-4738-89c6-17d0243cbbb0.json create mode 100644 ics-attack/relationship/relationship--128de3f9-df58-4122-9523-0ac65a6ebf71.json create mode 100644 ics-attack/relationship/relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4.json create mode 100644 ics-attack/relationship/relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36.json create mode 100644 ics-attack/relationship/relationship--13d76624-7049-45c5-94d3-8f172b7f6336.json create mode 100644 ics-attack/relationship/relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6.json create mode 100644 ics-attack/relationship/relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc.json create mode 100644 ics-attack/relationship/relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495.json create mode 100644 ics-attack/relationship/relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a.json create mode 100644 ics-attack/relationship/relationship--159fb736-ba92-4564-aa6d-db6f64497763.json create mode 100644 ics-attack/relationship/relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b.json create mode 100644 ics-attack/relationship/relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4.json create mode 100644 ics-attack/relationship/relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749.json create mode 100644 ics-attack/relationship/relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa.json create mode 100644 ics-attack/relationship/relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab.json create mode 100644 ics-attack/relationship/relationship--1865830b-511d-4302-99f7-6143647a8e40.json create mode 100644 ics-attack/relationship/relationship--18af193c-160a-4cae-9078-4d69de5c2347.json create mode 100644 ics-attack/relationship/relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75.json create mode 100644 ics-attack/relationship/relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c.json create mode 100644 ics-attack/relationship/relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826.json create mode 100644 ics-attack/relationship/relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0.json create mode 100644 ics-attack/relationship/relationship--1a900ac4-c150-4b57-a899-990854b01d4b.json create mode 100644 ics-attack/relationship/relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356.json create mode 100644 ics-attack/relationship/relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d.json create mode 100644 ics-attack/relationship/relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185.json create mode 100644 ics-attack/relationship/relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5.json create mode 100644 ics-attack/relationship/relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b.json create mode 100644 ics-attack/relationship/relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738.json create mode 100644 ics-attack/relationship/relationship--1c7df4f1-cee5-42c6-a974-29552552666f.json create mode 100644 ics-attack/relationship/relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081.json create mode 100644 ics-attack/relationship/relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653.json create mode 100644 ics-attack/relationship/relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57.json create mode 100644 ics-attack/relationship/relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e.json create mode 100644 ics-attack/relationship/relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8.json create mode 100644 ics-attack/relationship/relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3.json create mode 100644 ics-attack/relationship/relationship--208fe57b-cf2e-4188-8a6f-77597cd60351.json create mode 100644 ics-attack/relationship/relationship--21058f32-3d6e-4381-9288-5c2248e84cce.json create mode 100644 ics-attack/relationship/relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4.json create mode 100644 ics-attack/relationship/relationship--21470001-67f2-47cf-af21-784e5024ac1d.json create mode 100644 ics-attack/relationship/relationship--2159458f-87fc-4479-81f4-a2521a378221.json create mode 100644 ics-attack/relationship/relationship--21aa6331-3419-4049-b180-8349b71e1f2a.json create mode 100644 ics-attack/relationship/relationship--22548926-29b4-4882-9878-633375489c0e.json create mode 100644 ics-attack/relationship/relationship--2289f005-7863-4af5-b681-cdfc03d3f111.json create mode 100644 ics-attack/relationship/relationship--22ba5443-ea49-4076-a666-722eb5352f70.json create mode 100644 ics-attack/relationship/relationship--232c7049-7609-46a9-8bbe-38672713f853.json create mode 100644 ics-attack/relationship/relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49.json create mode 100644 ics-attack/relationship/relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07.json create mode 100644 ics-attack/relationship/relationship--24885921-734f-46c1-85d7-3f79e0b886d6.json create mode 100644 ics-attack/relationship/relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5.json create mode 100644 ics-attack/relationship/relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe.json create mode 100644 ics-attack/relationship/relationship--250212f0-a149-4a14-af83-94f7fcedc021.json create mode 100644 ics-attack/relationship/relationship--25281488-be20-4d83-89d1-1da7ea836037.json create mode 100644 ics-attack/relationship/relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad.json create mode 100644 ics-attack/relationship/relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e.json create mode 100644 ics-attack/relationship/relationship--296375b0-817d-4f42-afe1-4308f5edf973.json create mode 100644 ics-attack/relationship/relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81.json create mode 100644 ics-attack/relationship/relationship--2a451896-81aa-4eed-a444-4d04661adeeb.json create mode 100644 ics-attack/relationship/relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe.json create mode 100644 ics-attack/relationship/relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1.json delete mode 100644 ics-attack/relationship/relationship--2c641542-2e18-4943-849a-7141b7da4fcd.json delete mode 100644 ics-attack/relationship/relationship--2c6f9c9e-efa9-4a87-aadf-64b2aeeaa09a.json create mode 100644 ics-attack/relationship/relationship--2c79920a-f2d1-4114-a1df-924835da645c.json create mode 100644 ics-attack/relationship/relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2.json create mode 100644 ics-attack/relationship/relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe.json create mode 100644 ics-attack/relationship/relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a.json create mode 100644 ics-attack/relationship/relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8.json create mode 100644 ics-attack/relationship/relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f.json create mode 100644 ics-attack/relationship/relationship--2f457bef-1721-4e0f-b236-24e4652a31b4.json create mode 100644 ics-attack/relationship/relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50.json create mode 100644 ics-attack/relationship/relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9.json create mode 100644 ics-attack/relationship/relationship--2fe222c4-cc81-473d-956e-235e2961a5c3.json create mode 100644 ics-attack/relationship/relationship--305866af-1f36-49e0-a57d-d5faaf29011c.json create mode 100644 ics-attack/relationship/relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a.json create mode 100644 ics-attack/relationship/relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce.json create mode 100644 ics-attack/relationship/relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5.json create mode 100644 ics-attack/relationship/relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b.json create mode 100644 ics-attack/relationship/relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b.json create mode 100644 ics-attack/relationship/relationship--32d15d1a-04ba-4035-907a-e2871425e8d1.json delete mode 100644 ics-attack/relationship/relationship--32dbed4e-4dbe-4872-a013-c96111ed102e.json create mode 100644 ics-attack/relationship/relationship--3334e647-fd5d-481d-a7f9-66f73911a57a.json create mode 100644 ics-attack/relationship/relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7.json create mode 100644 ics-attack/relationship/relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5.json create mode 100644 ics-attack/relationship/relationship--3471632d-253d-469e-9e8c-3b291b4ae88a.json create mode 100644 ics-attack/relationship/relationship--3526acc8-8834-4aaa-87a5-51e587360cf5.json create mode 100644 ics-attack/relationship/relationship--352ed52c-88ba-4731-a917-4c33da0f29d4.json create mode 100644 ics-attack/relationship/relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d.json create mode 100644 ics-attack/relationship/relationship--37048032-b41d-47d8-9c73-7b706bef24d1.json create mode 100644 ics-attack/relationship/relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be.json create mode 100644 ics-attack/relationship/relationship--3731962f-64e7-4750-ac8b-40b97eef8725.json create mode 100644 ics-attack/relationship/relationship--374837a0-6109-4c95-bee6-893b25ac71cf.json create mode 100644 ics-attack/relationship/relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2.json create mode 100644 ics-attack/relationship/relationship--3843dcca-62a2-4224-9241-05f981fa880a.json create mode 100644 ics-attack/relationship/relationship--38bda770-c470-4358-a9ad-a5b39bec026b.json create mode 100644 ics-attack/relationship/relationship--39452123-574f-4f3a-95ec-a90170a3d7eb.json create mode 100644 ics-attack/relationship/relationship--399126a9-815d-4c3b-9d5e-f57d698ac742.json create mode 100644 ics-attack/relationship/relationship--39e5a489-f557-4130-a285-e0a82f40685c.json create mode 100644 ics-attack/relationship/relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584.json create mode 100644 ics-attack/relationship/relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974.json create mode 100644 ics-attack/relationship/relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca.json create mode 100644 ics-attack/relationship/relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea.json create mode 100644 ics-attack/relationship/relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35.json create mode 100644 ics-attack/relationship/relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688.json create mode 100644 ics-attack/relationship/relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2.json create mode 100644 ics-attack/relationship/relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a.json create mode 100644 ics-attack/relationship/relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5.json create mode 100644 ics-attack/relationship/relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1.json create mode 100644 ics-attack/relationship/relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9.json create mode 100644 ics-attack/relationship/relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe.json create mode 100644 ics-attack/relationship/relationship--3fb86696-1d56-42d5-a73d-044a78b588fe.json create mode 100644 ics-attack/relationship/relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa.json create mode 100644 ics-attack/relationship/relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542.json create mode 100644 ics-attack/relationship/relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4.json create mode 100644 ics-attack/relationship/relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db.json create mode 100644 ics-attack/relationship/relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d.json delete mode 100644 ics-attack/relationship/relationship--41ff63a3-ddb9-47fb-8d92-bed74ed0d41d.json create mode 100644 ics-attack/relationship/relationship--423271c0-04dc-42d0-8e27-fb0b6067e096.json create mode 100644 ics-attack/relationship/relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b.json create mode 100644 ics-attack/relationship/relationship--43344cd7-5004-4dac-8b62-8899105fa265.json create mode 100644 ics-attack/relationship/relationship--4508bdef-9528-47ae-804c-bc59d1e694e7.json create mode 100644 ics-attack/relationship/relationship--456ff399-4925-45d4-aa84-d930eae5348e.json create mode 100644 ics-attack/relationship/relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f.json create mode 100644 ics-attack/relationship/relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9.json create mode 100644 ics-attack/relationship/relationship--4653847b-c089-4435-9159-6f76353833f7.json create mode 100644 ics-attack/relationship/relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf.json create mode 100644 ics-attack/relationship/relationship--46798892-d849-43fe-8147-b40cc9da291e.json create mode 100644 ics-attack/relationship/relationship--4768c731-3be9-44b8-a217-dfbececa57d9.json create mode 100644 ics-attack/relationship/relationship--483719ad-c973-4210-b059-14e87dbd45f8.json create mode 100644 ics-attack/relationship/relationship--49242ea8-4813-49f7-8bd4-9668216cceeb.json create mode 100644 ics-attack/relationship/relationship--4981a944-b3ad-4d78-9881-a17d458e3422.json create mode 100644 ics-attack/relationship/relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05.json create mode 100644 ics-attack/relationship/relationship--4a7340fc-0eec-4459-a491-952d736b79ef.json create mode 100644 ics-attack/relationship/relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198.json create mode 100644 ics-attack/relationship/relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596.json create mode 100644 ics-attack/relationship/relationship--4b853b7c-bc55-4599-b88d-d08d651526c0.json create mode 100644 ics-attack/relationship/relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12.json create mode 100644 ics-attack/relationship/relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962.json create mode 100644 ics-attack/relationship/relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c.json create mode 100644 ics-attack/relationship/relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7.json create mode 100644 ics-attack/relationship/relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4.json create mode 100644 ics-attack/relationship/relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5.json create mode 100644 ics-attack/relationship/relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93.json create mode 100644 ics-attack/relationship/relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9.json create mode 100644 ics-attack/relationship/relationship--4f83cc15-274d-44c6-859f-e598e362e76e.json create mode 100644 ics-attack/relationship/relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29.json create mode 100644 ics-attack/relationship/relationship--5131c799-517c-4bad-ba97-46ad7de956e7.json create mode 100644 ics-attack/relationship/relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c.json create mode 100644 ics-attack/relationship/relationship--523777f8-4780-4716-807c-08a67450b916.json create mode 100644 ics-attack/relationship/relationship--524ffb0f-40ae-4c97-a098-d14001fffa31.json create mode 100644 ics-attack/relationship/relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b.json create mode 100644 ics-attack/relationship/relationship--52e828db-58d0-443e-8d94-54d265d9606e.json create mode 100644 ics-attack/relationship/relationship--53d7a78d-1431-49e8-944c-62c875e58a20.json create mode 100644 ics-attack/relationship/relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd.json create mode 100644 ics-attack/relationship/relationship--544e996c-0bdc-42b2-91af-14c27d4213b9.json create mode 100644 ics-attack/relationship/relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56.json create mode 100644 ics-attack/relationship/relationship--5677e801-bd49-404b-b54a-6b00da52530c.json create mode 100644 ics-attack/relationship/relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18.json create mode 100644 ics-attack/relationship/relationship--57510758-786a-4f0a-aab2-101eaf4e7b9f.json create mode 100644 ics-attack/relationship/relationship--577b53a0-44ff-4cc4-b571-455d61e596c0.json create mode 100644 ics-attack/relationship/relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba.json create mode 100644 ics-attack/relationship/relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1.json create mode 100644 ics-attack/relationship/relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b.json create mode 100644 ics-attack/relationship/relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8.json create mode 100644 ics-attack/relationship/relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba.json create mode 100644 ics-attack/relationship/relationship--5b14c813-09e2-4709-ab42-94830cf9538c.json create mode 100644 ics-attack/relationship/relationship--5c61c8a2-bfff-43fb-8397-bff864413d74.json create mode 100644 ics-attack/relationship/relationship--5e324da5-0fee-4dac-b289-410d560e03e9.json create mode 100644 ics-attack/relationship/relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb.json create mode 100644 ics-attack/relationship/relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0.json create mode 100644 ics-attack/relationship/relationship--5ff26c96-c610-4669-b44e-d6318205be5a.json create mode 100644 ics-attack/relationship/relationship--600f0115-94e3-49bf-afa6-0180b3367b94.json create mode 100644 ics-attack/relationship/relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024.json create mode 100644 ics-attack/relationship/relationship--605f3853-b007-4134-8a2d-6a81a35e7676.json create mode 100644 ics-attack/relationship/relationship--62abe387-10a2-414b-881c-060b70db2157.json create mode 100644 ics-attack/relationship/relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b.json create mode 100644 ics-attack/relationship/relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3.json delete mode 100644 ics-attack/relationship/relationship--641813ea-66a9-4949-848f-db83420aac39.json create mode 100644 ics-attack/relationship/relationship--652c1e77-cfea-4452-9762-5ba16f874119.json create mode 100644 ics-attack/relationship/relationship--6573327e-3757-424e-8570-04ffe7d5d0e2.json create mode 100644 ics-attack/relationship/relationship--65aa5a0d-926c-4b04-9509-f66a99639877.json create mode 100644 ics-attack/relationship/relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5.json create mode 100644 ics-attack/relationship/relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2.json create mode 100644 ics-attack/relationship/relationship--66738beb-0a33-4d70-baec-8307b5b34f80.json create mode 100644 ics-attack/relationship/relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702.json create mode 100644 ics-attack/relationship/relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd.json create mode 100644 ics-attack/relationship/relationship--6795c92f-848f-488e-9c25-d240f99c9b34.json create mode 100644 ics-attack/relationship/relationship--67ae8423-c401-4c11-93d3-0454c288d934.json create mode 100644 ics-attack/relationship/relationship--67dae594-4239-4756-a0bc-dee75de19e4c.json create mode 100644 ics-attack/relationship/relationship--685249f9-e51a-4914-8b7f-09679e04198b.json create mode 100644 ics-attack/relationship/relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1.json create mode 100644 ics-attack/relationship/relationship--692ff921-c74d-40a4-ab31-879aba5f247a.json create mode 100644 ics-attack/relationship/relationship--69cf4015-fae1-47f6-9253-1f99209288a5.json create mode 100644 ics-attack/relationship/relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820.json create mode 100644 ics-attack/relationship/relationship--6a476f56-2c07-43be-8054-d978ee8eb924.json create mode 100644 ics-attack/relationship/relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72.json create mode 100644 ics-attack/relationship/relationship--6b54f354-9059-4366-8077-87360c4db2ab.json create mode 100644 ics-attack/relationship/relationship--6c31c795-935a-41ad-8db1-d74430f4a553.json create mode 100644 ics-attack/relationship/relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4.json create mode 100644 ics-attack/relationship/relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e.json create mode 100644 ics-attack/relationship/relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf.json create mode 100644 ics-attack/relationship/relationship--6f2ddada-d7df-4788-b5d1-9add185142e0.json create mode 100644 ics-attack/relationship/relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e.json create mode 100644 ics-attack/relationship/relationship--6f950c91-125b-46a0-aa40-239b4de2306a.json create mode 100644 ics-attack/relationship/relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977.json create mode 100644 ics-attack/relationship/relationship--73093c08-ea39-4956-8bff-55e15f6630cd.json create mode 100644 ics-attack/relationship/relationship--740082b7-2411-473a-a59d-4d46cf12f8b5.json create mode 100644 ics-attack/relationship/relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7.json create mode 100644 ics-attack/relationship/relationship--7584e57f-1258-4c47-b18d-99019a586e6c.json create mode 100644 ics-attack/relationship/relationship--758773e3-d23d-44db-b5d3-643cde5b41f1.json create mode 100644 ics-attack/relationship/relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48.json create mode 100644 ics-attack/relationship/relationship--75e6adae-06a7-47e9-878e-74ca73004c3b.json create mode 100644 ics-attack/relationship/relationship--76537fd7-5782-4a8d-9b54-117b168a4306.json delete mode 100644 ics-attack/relationship/relationship--76654cf3-5cfe-4bf4-b134-806fd75b1ddb.json create mode 100644 ics-attack/relationship/relationship--77566f94-5e26-41c9-892f-2f62b395afe7.json create mode 100644 ics-attack/relationship/relationship--77f3a64d-227d-487f-8484-89007e05b59f.json create mode 100644 ics-attack/relationship/relationship--78881a3d-59ad-4fbb-8bd2-69388a068584.json create mode 100644 ics-attack/relationship/relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631.json create mode 100644 ics-attack/relationship/relationship--79235599-e23f-43cb-9c56-1eb22b7c4664.json create mode 100644 ics-attack/relationship/relationship--79407d1e-8e16-48c1-939c-ad92f91dd988.json create mode 100644 ics-attack/relationship/relationship--798de2f3-218b-4622-a62c-84e3840d45a6.json create mode 100644 ics-attack/relationship/relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19.json create mode 100644 ics-attack/relationship/relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0.json create mode 100644 ics-attack/relationship/relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780.json create mode 100644 ics-attack/relationship/relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b.json create mode 100644 ics-attack/relationship/relationship--7bb1dbec-7314-479a-9496-86f8e25041eb.json create mode 100644 ics-attack/relationship/relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07.json create mode 100644 ics-attack/relationship/relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84.json create mode 100644 ics-attack/relationship/relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea.json create mode 100644 ics-attack/relationship/relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23.json create mode 100644 ics-attack/relationship/relationship--7d42ba22-9595-4463-8dda-c0e47a154fed.json create mode 100644 ics-attack/relationship/relationship--7d752615-33f0-44ed-a156-25d84f384e75.json create mode 100644 ics-attack/relationship/relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858.json create mode 100644 ics-attack/relationship/relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706.json create mode 100644 ics-attack/relationship/relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7.json create mode 100644 ics-attack/relationship/relationship--81055366-e78b-40e0-a799-4b536ba03db3.json create mode 100644 ics-attack/relationship/relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6.json create mode 100644 ics-attack/relationship/relationship--81806f43-c9aa-486e-8032-4e4665ba0d39.json create mode 100644 ics-attack/relationship/relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32.json create mode 100644 ics-attack/relationship/relationship--83a964cb-730c-44e4-859b-b5246159396b.json create mode 100644 ics-attack/relationship/relationship--84671396-a556-4a5d-9bb9-cac697277371.json create mode 100644 ics-attack/relationship/relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65.json delete mode 100644 ics-attack/relationship/relationship--84e535be-960a-450a-91f9-4dc8c5e3f69d.json create mode 100644 ics-attack/relationship/relationship--84fa50ff-bb84-4ab6-b759-658c57532c42.json create mode 100644 ics-attack/relationship/relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7.json create mode 100644 ics-attack/relationship/relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75.json create mode 100644 ics-attack/relationship/relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc.json create mode 100644 ics-attack/relationship/relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c.json create mode 100644 ics-attack/relationship/relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2.json create mode 100644 ics-attack/relationship/relationship--897cfc36-4253-4e1e-8825-726dbe9088a2.json create mode 100644 ics-attack/relationship/relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108.json create mode 100644 ics-attack/relationship/relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62.json create mode 100644 ics-attack/relationship/relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f.json create mode 100644 ics-attack/relationship/relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4.json create mode 100644 ics-attack/relationship/relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95.json create mode 100644 ics-attack/relationship/relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91.json create mode 100644 ics-attack/relationship/relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7.json create mode 100644 ics-attack/relationship/relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b.json create mode 100644 ics-attack/relationship/relationship--8f947e00-2579-4120-a8b0-d466e59fac1a.json create mode 100644 ics-attack/relationship/relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb.json create mode 100644 ics-attack/relationship/relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6.json create mode 100644 ics-attack/relationship/relationship--910bada1-c923-4009-a9ea-da257072f168.json create mode 100644 ics-attack/relationship/relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e.json create mode 100644 ics-attack/relationship/relationship--93c336f2-7e7c-4c79-af16-faae03e66121.json create mode 100644 ics-attack/relationship/relationship--943a9a5c-7826-451d-ac73-34353ea40595.json create mode 100644 ics-attack/relationship/relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d.json delete mode 100644 ics-attack/relationship/relationship--95b12e1a-7f21-4fa0-9b2a-c96c7c270625.json create mode 100644 ics-attack/relationship/relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8.json create mode 100644 ics-attack/relationship/relationship--97756c8a-b702-472b-8d67-15464a73093e.json create mode 100644 ics-attack/relationship/relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1.json create mode 100644 ics-attack/relationship/relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e.json create mode 100644 ics-attack/relationship/relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319.json create mode 100644 ics-attack/relationship/relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134.json create mode 100644 ics-attack/relationship/relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f.json create mode 100644 ics-attack/relationship/relationship--99fa6d92-0c41-44ed-bd30-dd0413785883.json create mode 100644 ics-attack/relationship/relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf.json create mode 100644 ics-attack/relationship/relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8.json create mode 100644 ics-attack/relationship/relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875.json create mode 100644 ics-attack/relationship/relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1.json create mode 100644 ics-attack/relationship/relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5.json create mode 100644 ics-attack/relationship/relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500.json create mode 100644 ics-attack/relationship/relationship--9f2926a2-596f-459e-827e-6fe2d4646efd.json create mode 100644 ics-attack/relationship/relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3.json create mode 100644 ics-attack/relationship/relationship--9fb8c8ab-67de-42df-a82d-b6e45b82d949.json create mode 100644 ics-attack/relationship/relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47.json create mode 100644 ics-attack/relationship/relationship--a15d718f-af30-4745-a837-887ba8f48727.json create mode 100644 ics-attack/relationship/relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476.json create mode 100644 ics-attack/relationship/relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3.json create mode 100644 ics-attack/relationship/relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039.json create mode 100644 ics-attack/relationship/relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b.json create mode 100644 ics-attack/relationship/relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d.json create mode 100644 ics-attack/relationship/relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9.json create mode 100644 ics-attack/relationship/relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7.json create mode 100644 ics-attack/relationship/relationship--a45cec05-2d81-4db1-9267-db8be498e0d2.json create mode 100644 ics-attack/relationship/relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac.json create mode 100644 ics-attack/relationship/relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63.json create mode 100644 ics-attack/relationship/relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5.json create mode 100644 ics-attack/relationship/relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf.json create mode 100644 ics-attack/relationship/relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7.json create mode 100644 ics-attack/relationship/relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac.json create mode 100644 ics-attack/relationship/relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1.json create mode 100644 ics-attack/relationship/relationship--a91295dc-b381-4dc9-9384-9f9949066778.json create mode 100644 ics-attack/relationship/relationship--a93ba793-24dd-47dd-b32c-4c3016124c90.json create mode 100644 ics-attack/relationship/relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba.json create mode 100644 ics-attack/relationship/relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b.json create mode 100644 ics-attack/relationship/relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e.json create mode 100644 ics-attack/relationship/relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed.json create mode 100644 ics-attack/relationship/relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291.json create mode 100644 ics-attack/relationship/relationship--ac933d76-8207-4bf7-add2-92b60cf3044b.json create mode 100644 ics-attack/relationship/relationship--acace658-da7e-4a19-aa98-8aec8c966dde.json create mode 100644 ics-attack/relationship/relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b.json create mode 100644 ics-attack/relationship/relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc.json create mode 100644 ics-attack/relationship/relationship--af20f409-05ed-42c3-ae3e-09b047b84875.json create mode 100644 ics-attack/relationship/relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379.json create mode 100644 ics-attack/relationship/relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d.json create mode 100644 ics-attack/relationship/relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1.json create mode 100644 ics-attack/relationship/relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1.json create mode 100644 ics-attack/relationship/relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1.json create mode 100644 ics-attack/relationship/relationship--b1921480-8499-46a9-8396-2a2d747c5861.json create mode 100644 ics-attack/relationship/relationship--b21e0340-976d-44b2-94ae-f777199993c6.json create mode 100644 ics-attack/relationship/relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a.json delete mode 100644 ics-attack/relationship/relationship--b2d4989c-e2d1-40c4-b1d8-07834a71f26f.json create mode 100644 ics-attack/relationship/relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f.json create mode 100644 ics-attack/relationship/relationship--b33f2abc-a218-425b-9a90-b75445b7e142.json create mode 100644 ics-attack/relationship/relationship--b352884f-2a60-41c6-b348-0bbb5859802a.json create mode 100644 ics-attack/relationship/relationship--b37844c1-0338-44f6-9116-48fa0f079913.json create mode 100644 ics-attack/relationship/relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2.json create mode 100644 ics-attack/relationship/relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08.json create mode 100644 ics-attack/relationship/relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa.json create mode 100644 ics-attack/relationship/relationship--b59a96e4-bd70-4459-9609-66563bccd9c3.json create mode 100644 ics-attack/relationship/relationship--b6309476-8268-4c47-920b-8a556cd8ae4c.json create mode 100644 ics-attack/relationship/relationship--b69905bd-6865-4092-9543-47bd9ae318ec.json create mode 100644 ics-attack/relationship/relationship--b7284360-0d80-45bb-8486-263ae8f8fa63.json create mode 100644 ics-attack/relationship/relationship--b7344dfb-621b-4558-ab22-6c1f256ee746.json create mode 100644 ics-attack/relationship/relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2.json create mode 100644 ics-attack/relationship/relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586.json create mode 100644 ics-attack/relationship/relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e.json create mode 100644 ics-attack/relationship/relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c.json create mode 100644 ics-attack/relationship/relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a.json create mode 100644 ics-attack/relationship/relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7.json create mode 100644 ics-attack/relationship/relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259.json create mode 100644 ics-attack/relationship/relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc.json create mode 100644 ics-attack/relationship/relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9.json create mode 100644 ics-attack/relationship/relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a.json create mode 100644 ics-attack/relationship/relationship--bd869385-5778-4303-8993-cc6412d12303.json create mode 100644 ics-attack/relationship/relationship--be0f7d83-2441-4259-b411-46e0d10566b1.json create mode 100644 ics-attack/relationship/relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2.json create mode 100644 ics-attack/relationship/relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76.json create mode 100644 ics-attack/relationship/relationship--bf8e68fe-1969-48d1-be0e-ec742378748d.json create mode 100644 ics-attack/relationship/relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302.json create mode 100644 ics-attack/relationship/relationship--bf9f227c-e306-4257-add1-39c7c2e42040.json create mode 100644 ics-attack/relationship/relationship--bffad8de-a807-4216-9753-008a87d9d77f.json create mode 100644 ics-attack/relationship/relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef.json create mode 100644 ics-attack/relationship/relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2.json create mode 100644 ics-attack/relationship/relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553.json create mode 100644 ics-attack/relationship/relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5.json delete mode 100644 ics-attack/relationship/relationship--c22acaab-baa4-45b0-9c4b-9330715e5455.json create mode 100644 ics-attack/relationship/relationship--c233df49-e450-4151-8a0f-1765faf3d75a.json create mode 100644 ics-attack/relationship/relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f.json create mode 100644 ics-attack/relationship/relationship--c37f097a-9698-412f-9e96-4d350bcd2790.json create mode 100644 ics-attack/relationship/relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608.json create mode 100644 ics-attack/relationship/relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b.json create mode 100644 ics-attack/relationship/relationship--c4718fa2-2592-44b0-87d0-f866c118a779.json create mode 100644 ics-attack/relationship/relationship--c4a50132-a210-4093-878d-3d6df23ed26e.json create mode 100644 ics-attack/relationship/relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37.json create mode 100644 ics-attack/relationship/relationship--c58563a8-d757-4476-8ae2-beb2acce38b3.json create mode 100644 ics-attack/relationship/relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd.json create mode 100644 ics-attack/relationship/relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36.json create mode 100644 ics-attack/relationship/relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8.json create mode 100644 ics-attack/relationship/relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a.json create mode 100644 ics-attack/relationship/relationship--c95850f4-4616-435c-b237-f1985833d40e.json create mode 100644 ics-attack/relationship/relationship--c9fb4adb-8064-426a-838d-c93674fb380b.json create mode 100644 ics-attack/relationship/relationship--ca13a117-aae0-4802-878b-c09f4a04dd31.json create mode 100644 ics-attack/relationship/relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd.json create mode 100644 ics-attack/relationship/relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749.json create mode 100644 ics-attack/relationship/relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a.json create mode 100644 ics-attack/relationship/relationship--ccbb44ad-2220-4260-99ce-9142c44fc797.json create mode 100644 ics-attack/relationship/relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2.json create mode 100644 ics-attack/relationship/relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986.json create mode 100644 ics-attack/relationship/relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d.json create mode 100644 ics-attack/relationship/relationship--cf8a816c-30ee-4147-a48f-d797fb145a04.json create mode 100644 ics-attack/relationship/relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185.json create mode 100644 ics-attack/relationship/relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab.json create mode 100644 ics-attack/relationship/relationship--d03de729-9235-4ceb-a1c0-935e2088020b.json create mode 100644 ics-attack/relationship/relationship--d1388bba-9869-4e3e-a6c9-430784ad924d.json create mode 100644 ics-attack/relationship/relationship--d1a97502-b41d-40a8-aff5-13367fefc642.json create mode 100644 ics-attack/relationship/relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896.json create mode 100644 ics-attack/relationship/relationship--d23fd724-563d-4f49-8bcd-09c653728cd3.json create mode 100644 ics-attack/relationship/relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242.json create mode 100644 ics-attack/relationship/relationship--d2a434c7-4428-435e-ae6b-e54012f29606.json create mode 100644 ics-attack/relationship/relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999.json create mode 100644 ics-attack/relationship/relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72.json create mode 100644 ics-attack/relationship/relationship--d3d4f469-9847-41ef-a478-5eaf6003d483.json create mode 100644 ics-attack/relationship/relationship--d455330d-f190-4854-8087-4c2c37003b45.json create mode 100644 ics-attack/relationship/relationship--d48894cb-457e-4a81-82b4-2d735aea5128.json create mode 100644 ics-attack/relationship/relationship--d58d8b19-90bc-4a7f-840d-076be296ff20.json create mode 100644 ics-attack/relationship/relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a.json create mode 100644 ics-attack/relationship/relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d.json create mode 100644 ics-attack/relationship/relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0.json create mode 100644 ics-attack/relationship/relationship--d648b3c7-77d2-42f3-a367-620621b714ab.json create mode 100644 ics-attack/relationship/relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de.json create mode 100644 ics-attack/relationship/relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5.json create mode 100644 ics-attack/relationship/relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18.json create mode 100644 ics-attack/relationship/relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa.json create mode 100644 ics-attack/relationship/relationship--d8f95008-33c9-4572-9916-023d8de449b1.json create mode 100644 ics-attack/relationship/relationship--d96788b4-55dd-48df-bb9b-83b33ca24813.json create mode 100644 ics-attack/relationship/relationship--d9de58a6-58fd-499c-ba7d-588239297179.json create mode 100644 ics-attack/relationship/relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5.json create mode 100644 ics-attack/relationship/relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a.json create mode 100644 ics-attack/relationship/relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0.json create mode 100644 ics-attack/relationship/relationship--da987131-bf37-4730-9914-323879d2b5c3.json create mode 100644 ics-attack/relationship/relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8.json create mode 100644 ics-attack/relationship/relationship--db46e84f-435e-4022-b484-e6d2e253660c.json create mode 100644 ics-attack/relationship/relationship--dbcc492c-782e-4418-8373-dbc7a76498b0.json delete mode 100644 ics-attack/relationship/relationship--dc15440d-6683-435a-8c87-64daea29bcaa.json create mode 100644 ics-attack/relationship/relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f.json create mode 100644 ics-attack/relationship/relationship--dead5325-7efe-4dcc-bf78-42b9190f74da.json create mode 100644 ics-attack/relationship/relationship--def57041-6bb4-453a-bf04-188b9e97a35d.json create mode 100644 ics-attack/relationship/relationship--df321d74-25d6-42da-80e8-3c9a291cb471.json create mode 100644 ics-attack/relationship/relationship--df7b521e-4496-432f-a61d-3094d0c7bc23.json create mode 100644 ics-attack/relationship/relationship--df80e2b6-5672-4f26-a19c-a394f3731f24.json create mode 100644 ics-attack/relationship/relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da.json create mode 100644 ics-attack/relationship/relationship--dfb20521-91c2-4f55-b92a-dab959759b78.json create mode 100644 ics-attack/relationship/relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e.json create mode 100644 ics-attack/relationship/relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74.json create mode 100644 ics-attack/relationship/relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4.json create mode 100644 ics-attack/relationship/relationship--e3b04152-0c90-41ff-a333-c5163fa9714f.json create mode 100644 ics-attack/relationship/relationship--e434db5d-f201-4411-825f-4a50e1e78c75.json create mode 100644 ics-attack/relationship/relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc.json create mode 100644 ics-attack/relationship/relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972.json create mode 100644 ics-attack/relationship/relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454.json create mode 100644 ics-attack/relationship/relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb.json create mode 100644 ics-attack/relationship/relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9.json create mode 100644 ics-attack/relationship/relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2.json create mode 100644 ics-attack/relationship/relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42.json create mode 100644 ics-attack/relationship/relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8.json create mode 100644 ics-attack/relationship/relationship--e915e12c-3d0c-4f60-b119-9414940abb0b.json create mode 100644 ics-attack/relationship/relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42.json create mode 100644 ics-attack/relationship/relationship--e98892d6-e036-4140-adbb-2932dba51a19.json delete mode 100644 ics-attack/relationship/relationship--ea218d63-d9de-4f63-804a-cb039d804025.json create mode 100644 ics-attack/relationship/relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4.json create mode 100644 ics-attack/relationship/relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960.json create mode 100644 ics-attack/relationship/relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53.json create mode 100644 ics-attack/relationship/relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b.json create mode 100644 ics-attack/relationship/relationship--eb5310c6-7500-4b16-8ca7-6678c6232001.json create mode 100644 ics-attack/relationship/relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0.json create mode 100644 ics-attack/relationship/relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643.json create mode 100644 ics-attack/relationship/relationship--ed095993-bc85-431e-9621-437143f16d44.json create mode 100644 ics-attack/relationship/relationship--ed3ce006-cf41-46f6-bd86-054314c130dc.json create mode 100644 ics-attack/relationship/relationship--ed3ef546-566a-46c7-918e-7bfa10d05991.json create mode 100644 ics-attack/relationship/relationship--ed66e087-8877-4146-a16a-44cfd144a3d8.json create mode 100644 ics-attack/relationship/relationship--ed8b97e2-5966-4844-a636-524541a46e43.json create mode 100644 ics-attack/relationship/relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb.json create mode 100644 ics-attack/relationship/relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b.json create mode 100644 ics-attack/relationship/relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1.json create mode 100644 ics-attack/relationship/relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2.json create mode 100644 ics-attack/relationship/relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97.json create mode 100644 ics-attack/relationship/relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6.json create mode 100644 ics-attack/relationship/relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8.json create mode 100644 ics-attack/relationship/relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3.json create mode 100644 ics-attack/relationship/relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0.json create mode 100644 ics-attack/relationship/relationship--f05a2592-00f9-4f1f-ba55-395af5444b96.json create mode 100644 ics-attack/relationship/relationship--f08d487a-7837-48f9-9301-fe0f9f144c92.json create mode 100644 ics-attack/relationship/relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d.json create mode 100644 ics-attack/relationship/relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb.json create mode 100644 ics-attack/relationship/relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8.json create mode 100644 ics-attack/relationship/relationship--f19c34b2-ef3a-4581-b604-6639f501e32f.json create mode 100644 ics-attack/relationship/relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704.json create mode 100644 ics-attack/relationship/relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b.json create mode 100644 ics-attack/relationship/relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1.json create mode 100644 ics-attack/relationship/relationship--f531e763-3550-40ba-a6a1-81e208ca12c6.json create mode 100644 ics-attack/relationship/relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7.json create mode 100644 ics-attack/relationship/relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545.json create mode 100644 ics-attack/relationship/relationship--f5c9f641-a498-46b5-9068-39502db53cfd.json create mode 100644 ics-attack/relationship/relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4.json create mode 100644 ics-attack/relationship/relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51.json create mode 100644 ics-attack/relationship/relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659.json create mode 100644 ics-attack/relationship/relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6.json create mode 100644 ics-attack/relationship/relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c.json create mode 100644 ics-attack/relationship/relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846.json create mode 100644 ics-attack/relationship/relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138.json create mode 100644 ics-attack/relationship/relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df.json create mode 100644 ics-attack/relationship/relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089.json create mode 100644 ics-attack/relationship/relationship--f92764db-a880-4726-9d28-a035170f790c.json create mode 100644 ics-attack/relationship/relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b.json create mode 100644 ics-attack/relationship/relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0.json create mode 100644 ics-attack/relationship/relationship--fad25140-73de-40d5-a010-3464188db973.json create mode 100644 ics-attack/relationship/relationship--fadbdca3-3c98-497c-a156-e53b89664359.json create mode 100644 ics-attack/relationship/relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1.json create mode 100644 ics-attack/relationship/relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd.json create mode 100644 ics-attack/relationship/relationship--fdc20415-c9a1-405e-80af-3d297894e8fa.json create mode 100644 ics-attack/relationship/relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f.json create mode 100644 ics-attack/relationship/relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926.json create mode 100644 ics-attack/relationship/relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb.json create mode 100644 ics-attack/relationship/relationship--ff107632-751b-4efb-86bd-af670b48d35d.json create mode 100644 ics-attack/x-mitre-asset/x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945.json create mode 100644 ics-attack/x-mitre-asset/x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787.json create mode 100644 ics-attack/x-mitre-asset/x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32.json create mode 100644 ics-attack/x-mitre-asset/x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe.json create mode 100644 ics-attack/x-mitre-asset/x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64.json create mode 100644 ics-attack/x-mitre-asset/x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4.json create mode 100644 ics-attack/x-mitre-asset/x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32.json create mode 100644 ics-attack/x-mitre-asset/x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04.json create mode 100644 ics-attack/x-mitre-asset/x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d.json create mode 100644 ics-attack/x-mitre-asset/x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990.json create mode 100644 ics-attack/x-mitre-asset/x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5.json create mode 100644 ics-attack/x-mitre-asset/x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499.json create mode 100644 ics-attack/x-mitre-asset/x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3.json create mode 100644 ics-attack/x-mitre-asset/x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41.json diff --git a/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json b/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json index 70ea1cd745..f1e2d63cca 100644 --- a/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json +++ b/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--24c2c656-e8bf-4ca2-a206-e69f101e3ef3", + "id": "bundle--db0354a2-3c76-4a68-8f2a-12b7619cb4d3", "spec_version": "2.0", "objects": [ { - "modified": "2022-10-24T15:09:07.609Z", + "modified": "2023-10-13T17:56:58.380Z", "name": "Block Command Message", "description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "kill_chain_phases": [ @@ -13,27 +13,30 @@ "phase_name": "inhibit-response-function" } ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Device Configuration/Parameters" - ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", "x_mitre_data_sources": [ + "Process: Process Termination", "Operational Databases: Process History/Live Data", - "Network Traffic: Network Traffic Flow", "Application Log: Application Log Content", - "Operational Databases: Process/Event Alarm", - "Process: Process Termination" + "Network Traffic: Network Traffic Flow", + "Operational Databases: Process/Event Alarm" ], "type": "attack-pattern", "id": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -53,8 +56,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_is_subtechnique": false + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json b/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json index 91314e6512..4f694b070f 100644 --- a/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json +++ b/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--c8289b0b-14f7-4150-b403-d0d853797508", + "id": "bundle--47d26735-457d-48a1-9604-0a5d2d64ae1a", "spec_version": "2.0", "objects": [ { - "modified": "2022-10-24T15:09:07.609Z", + "modified": "2023-10-13T17:56:58.586Z", "name": "Service Stop", "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. (Citation: Enterprise ATT&CK) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. (Citation: Enterprise ATT&CK)", "kill_chain_phases": [ @@ -13,42 +13,38 @@ "phase_name": "inhibit-response-function" } ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_platforms": [ - "Human-Machine Interface", - "Control Server", - "Data Historian", - "Engineering Workstation" - ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Windows Registry: Windows Registry Key Modification", - "Process: Process Termination", "File: File Modification", - "Process: OS API Execution", - "Process: Process Creation", "Command: Command Execution", - "Service: Service Metadata" + "Process: OS API Execution", + "Process: Process Termination", + "Service: Service Metadata", + "Windows Registry: Windows Registry Key Modification", + "Process: Process Creation" ], "type": "attack-pattern", "id": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0881", "external_id": "T0881" }, - { - "source_name": "Enterprise ATT&CK", - "description": "Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 ", - "url": "https://attack.mitre.org/techniques/T1489/" - }, { "source_name": "Enterprise ATT&CK", "description": "Enterprise ATT&CK Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 Service Stop Retrieved. 2019/10/29 ", @@ -57,8 +53,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_is_subtechnique": false + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json b/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json index 4c73578dd8..b6d851bd60 100644 --- a/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json +++ b/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--575cf97f-064b-4d37-a97a-16a08adeaec8", + "id": "bundle--e1deb245-3bda-4042-a283-961b5a92e1c7", "spec_version": "2.0", "objects": [ { - "modified": "2023-04-05T14:15:29.756Z", + "modified": "2023-10-13T17:56:58.786Z", "name": "Modify Parameter", "description": "Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. \n\nAn adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause [Impact](https://attack.mitre.org/tactics/TA0105) to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter.", "kill_chain_phases": [ @@ -13,19 +13,18 @@ "phase_name": "impair-process-control" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay", - "Human-Machine Interface" + "None" ], - "x_mitre_version": "1.2", + "x_mitre_version": "1.3", "x_mitre_data_sources": [ "Asset: Asset Inventory", "Application Log: Application Log Content", @@ -46,9 +45,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json b/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json index f0edb10010..2f8b8865e1 100644 --- a/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json +++ b/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--0e6b28a8-6cb3-4ca7-b7f5-e8f48370d7d9", + "id": "bundle--c824d914-6800-4286-8143-3eb8a5f6d245", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:56:58.991Z", "name": "Modify Controller Tasking", "description": "Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller. \n\nAccording to 61131-3, the association of a Task with a Program Organization Unit (POU) defines a task association. (Citation: IEC February 2013) An adversary may modify these associations or create new ones to manipulate the execution flow of a controller. Modification of controller tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.\n\nTasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some controller vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. For instance, to ensure cyclic execution of their program on a Siemens controller, an adversary may add their program to the task, Organization Block 1 (OB1).", "kill_chain_phases": [ @@ -13,7 +13,7 @@ "phase_name": "execution" } ], - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ @@ -22,12 +22,12 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], - "x_mitre_version": "1.1", + "x_mitre_version": "1.2", "x_mitre_data_sources": [ - "Operational Databases: Device Alarm", "Application Log: Application Log Content", + "Operational Databases: Device Alarm", "Asset: Software" ], "type": "attack-pattern", diff --git a/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json b/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json index 5f8ba3294d..e03e379041 100644 --- a/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json +++ b/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--d80c9623-be6d-4f18-8399-27168ac87c6c", + "id": "bundle--4ce1aaa7-94e4-4ea7-a0a3-0f761b9577e9", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:56:59.193Z", "name": "Wireless Sniffing", "description": "Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. (Citation: Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018) The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum. \n\nAdversaries may capture RF communications by using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator tuned to the communication frequency. (Citation: Bastille April 2017) Information transmitted over a wireless medium may be captured in-transit whether the sniffing device is the intended destination or not. This technique may be particularly useful to an adversary when the communications are not encrypted. (Citation: Gallagher, S. April 2017) \n\nIn the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems. (Citation: Gallagher, S. April 2017)", "kill_chain_phases": [ diff --git a/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json b/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json index 386784c4e2..25bd7023ce 100644 --- a/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json +++ b/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--cd36473f-7242-4c74-b703-3fb353ddab2b", + "id": "bundle--c5b29817-6e60-47bf-9767-e95de0b64df0", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:56:59.396Z", "name": "Loss of View", "description": "Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)", "kill_chain_phases": [ @@ -19,8 +19,7 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Engineering Workstation" + "None" ], "x_mitre_version": "1.0", "type": "attack-pattern", diff --git a/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json b/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json index d93a2acf25..8dfadf7004 100644 --- a/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json +++ b/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--e2e8cb6c-3007-4282-91c2-120c590e5f67", + "id": "bundle--070a13b1-06bd-4e0c-9182-c1983ba56f1f", "spec_version": "2.0", "objects": [ { - "modified": "2022-10-24T15:09:07.609Z", + "modified": "2023-10-13T17:56:59.593Z", "name": "Activate Firmware Update Mode", "description": "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.", "kill_chain_phases": [ @@ -13,23 +13,22 @@ "phase_name": "inhibit-response-function" } ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay" - ], - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_contributors": [ "Joe Slowik - Dragos" ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", "Operational Databases: Device Alarm", - "Network Traffic: Network Traffic Content" + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", diff --git a/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json b/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json index a62fc583fd..eb6ee78016 100644 --- a/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json +++ b/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--3d498eba-2090-415d-8881-5bc8e1291d23", + "id": "bundle--f2390472-ffa1-4c55-a5d4-27c026a80189", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:56:59.793Z", "name": "Manipulation of Control", "description": "Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. \n\nMethods of Manipulation of Control include: \n\n* Man-in-the-middle \n* Spoof command message \n* Changing setpoints \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. (Citation: Shelley Smith February 2008) The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. (Citation: Bruce Schneier January 2008)", "kill_chain_phases": [ diff --git a/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json b/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json index e5ec4f631c..72dc97d8ae 100644 --- a/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json +++ b/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--0f449267-8ddf-4d23-b45f-46ea033e1e4c", + "id": "bundle--f8703abe-33c1-4ce7-b926-573ff6633247", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:16:01.922Z", + "modified": "2023-10-13T17:56:59.992Z", "name": "Denial of Service", "description": "Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. \n\nSome ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. (Citation: ICS-CERT April 2017) \n\nAdversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a denial of service condition. \n\nAdversaries may have prior knowledge about industrial protocols or control devices used in the environment through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888). There are examples of adversaries remotely causing a [Device Restart/Shutdown](https://attack.mitre.org/techniques/T0816) by exploiting a vulnerability that induces uncontrolled resource consumption. (Citation: ICS-CERT August 2018) (Citation: Common Weakness Enumeration January 2019) (Citation: MITRE March 2018) ", "kill_chain_phases": [ @@ -13,22 +13,23 @@ "phase_name": "inhibit-response-function" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Application Log: Application Log Content", - "Operational Databases: Process History/Live Data", "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow" + "Network Traffic: Network Traffic Flow", + "Application Log: Application Log Content", + "Operational Databases: Process History/Live Data" ], "type": "attack-pattern", "id": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", @@ -64,9 +65,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json b/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json index 8c82a82f6f..4c6f08dd08 100644 --- a/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json +++ b/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--171b7d8c-480a-4d85-8ae1-5f1a0a9bc9ae", + "id": "bundle--595482ec-e4f8-4d55-ad11-5171b4f238e6", "spec_version": "2.0", "objects": [ { - "modified": "2022-10-20T21:02:54.674Z", + "modified": "2023-10-13T17:57:00.184Z", "name": "Block Serial COM", "description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. \n\nA serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.", "kill_chain_phases": [ @@ -13,24 +13,24 @@ "phase_name": "inhibit-response-function" } ], - "x_mitre_detection": "", - "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Input/Output Server", - "Device Configuration/Parameters" - ], - "x_mitre_is_subtechnique": false, + "x_mitre_attack_spec_version": "2.1.0", "x_mitre_deprecated": false, + "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Operational Databases: Process/Event Alarm", - "Process: Process Termination", + "Network Traffic: Network Traffic Flow", "Operational Databases: Process History/Live Data", "Application Log: Application Log Content", - "Network Traffic: Network Traffic Flow" + "Process: Process Termination" ], "type": "attack-pattern", "id": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", @@ -46,9 +46,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json b/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json index 25ac6587e7..9a2428a805 100644 --- a/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json +++ b/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9495669c-3044-4946-bb5a-3abef44ed2fa", + "id": "bundle--e33ffabd-6533-4b87-9d70-7371e11d9b7f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json b/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json index e5a09aa365..6f0e6c2800 100644 --- a/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json +++ b/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--480dd457-058d-4688-92ba-087bed09a32e", + "id": "bundle--b6cef4b7-e1e2-44fa-80ff-5ae7c4ead8a8", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:00.378Z", "name": "Command-Line Interface", "description": "Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. (Citation: Enterprise ATT&CK January 2018) Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation.\n\nCLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.", "kill_chain_phases": [ @@ -22,17 +22,13 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Data Historian", - "Field Controller/RTU/PLC/IED", - "Human-Machine Interface", - "Input/Output Server" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Process: Process Creation", + "Command: Command Execution", "Application Log: Application Log Content", - "Command: Command Execution" + "Process: Process Creation" ], "type": "attack-pattern", "id": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", diff --git a/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json b/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json index fc41cd4409..1b397c2fa7 100644 --- a/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json +++ b/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--796df28e-687e-4ffe-b3dc-37c73c0b3b84", + "id": "bundle--fcbaee38-7230-4099-b1b0-fd0fa4d649b3", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:00.575Z", "name": "Point & Tag Identification", "description": "Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. (Citation: Dennis L. Sloatman September 2016) Tags are the identifiers given to points for operator convenience. \n\nCollecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.", "kill_chain_phases": [ @@ -25,9 +25,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Data Historian", - "Control Server", - "Human-Machine Interface" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ diff --git a/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json b/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json index d90caef186..d624810797 100644 --- a/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json +++ b/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--9bc19179-391d-4c70-af88-10a498bd8e93", + "id": "bundle--6ddd3e6e-610e-4268-a9ff-a85be5d82dda", "spec_version": "2.0", "objects": [ { - "modified": "2022-09-26T16:50:56.401Z", + "modified": "2023-10-13T17:57:00.768Z", "name": "Device Restart/Shutdown", "description": "Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands.\n\nUnexpected restart or shutdown of control system devices may prevent expected response functions happening during critical states.\n\nA device restart can also be a sign of malicious device modifications, as many updates require a shutdown in order to take effect.", "kill_chain_phases": [ @@ -13,21 +13,23 @@ "phase_name": "inhibit-response-function" } ], - "x_mitre_detection": "", - "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" - ], - "x_mitre_is_subtechnique": false, + "x_mitre_attack_spec_version": "2.1.0", "x_mitre_deprecated": false, + "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Operational Databases: Device Alarm", "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Traffic Content", - "Application Log: Application Log Content" + "Application Log: Application Log Content", + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", @@ -43,9 +45,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json b/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json index 2c79796952..944b915571 100644 --- a/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json +++ b/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--32c2b0eb-e34f-47cf-82c0-e3d639a29a5a", + "id": "bundle--8204efc6-1038-4976-aee9-ff3e04076d93", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:00.969Z", "name": "User Execution", "description": "Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. \n\nAdversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. (Citation: Booz Allen Hamilton) Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012 delivered malware through spearphishing attachments which required user action to achieve execution. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", "kill_chain_phases": [ @@ -22,17 +22,16 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Engineering Workstation", - "Human-Machine Interface" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Application Log: Application Log Content", - "Process: Process Creation", - "Network Traffic: Network Connection Creation", - "Network Traffic: Network Traffic Content", "Command: Command Execution", - "File: File Access" + "Application Log: Application Log Content", + "Network Traffic: Network Connection Creation", + "File: File Access", + "Process: Process Creation", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", diff --git a/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json b/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json index b9ad778428..1527239b1f 100644 --- a/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json +++ b/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--cd538bb1-62d1-425e-9eb1-25854469a90d", + "id": "bundle--d25342a2-8de8-4253-8abf-11a74ae8bce6", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:20:38.285Z", + "modified": "2023-10-13T17:57:01.165Z", "name": "Wireless Compromise", "description": "Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. \n\nA Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. (Citation: Bruce Schneier January 2008) The controller then enabled initial access to the network, allowing the capture and replay of tram signals. (Citation: John Bill May 2017)", "kill_chain_phases": [ @@ -13,6 +13,7 @@ "phase_name": "initial-access" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_contributors": [ "Scott Dougherty" ], @@ -22,15 +23,14 @@ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Field Controller/RTU/PLC/IED", - "Input/Output Server" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ - "Application Log: Application Log Content", "Logon Session: Logon Session Creation", + "Application Log: Application Log Content", "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", @@ -72,9 +72,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json b/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json index e1afa63a33..240941ff03 100644 --- a/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json +++ b/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--1a2cd146-8fa6-4200-a565-fc7d4b0b4c85", + "id": "bundle--0c5bc1e8-901e-47d2-9981-64671769662f", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:01.367Z", "name": "Change Operating Mode", "description": "Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)", "kill_chain_phases": [ @@ -26,13 +26,12 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Safety Instrumented System/Protection Relay", - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Application Log: Application Log Content", "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content", "Operational Databases: Device Alarm" ], "type": "attack-pattern", diff --git a/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json b/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json index 646ce28f1b..b925a7c890 100644 --- a/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json +++ b/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--2685f246-a7fc-4846-b5b0-ddca34288b03", + "id": "bundle--029291a8-b044-4146-a346-a3e16172958b", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:13:55.599Z", + "modified": "2023-10-13T17:57:01.578Z", "name": "Alarm Suppression", "description": "Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.\n\nA Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: Jos Wetzels, Marina Krotofil 2019) The method of suppression may greatly depend on the type of alarm in question: \n\n* An alarm raised by a protocol message \n* An alarm signaled with I/O \n* An alarm bit set in a flag (and read) \n\nIn ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.", "kill_chain_phases": [ @@ -13,6 +13,7 @@ "phase_name": "inhibit-response-function" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_contributors": [ "Marina Krotofil", "Jos Wetzels - Midnight Blue" @@ -23,17 +24,16 @@ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay", - "Device Configuration/Parameters" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ - "Operational Databases: Process History/Live Data", "Network Traffic: Network Traffic Flow", - "Operational Databases: Process/Event Alarm", - "Operational Databases: Device Alarm" + "Operational Databases: Process History/Live Data", + "Operational Databases: Device Alarm", + "Operational Databases: Process/Event Alarm" ], "type": "attack-pattern", "id": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", @@ -54,9 +54,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json b/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json index fd83fc6580..ae219c32aa 100644 --- a/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json +++ b/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--7936fb78-9021-4c05-80ed-6a676c1b068a", + "id": "bundle--0faac52f-fdfd-4ba6-b3a9-80796ea55c70", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:01.778Z", "name": "Detect Operating Mode", "description": "Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic.[Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)", "kill_chain_phases": [ @@ -22,7 +22,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ diff --git a/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json b/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json index 6f81614529..283638f681 100644 --- a/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json +++ b/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--1d8f2f9a-6595-4726-99c0-b870074e9ea2", + "id": "bundle--bb41e0f1-a866-4985-a6f6-b9969a27a3ff", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:01.994Z", "name": "Loss of Protection", "description": "Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel. \n\nMany faults and abnormal conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable protective system functions as a prerequisite to subsequent attack execution or to allow for future faults and abnormal conditions to go unchecked. Detection of a Loss of Protection by operators can result in the shutdown of a process due to strict policies regarding protection systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.", "kill_chain_phases": [ diff --git a/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json b/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json index f4c82eebfc..485d7eda63 100644 --- a/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json +++ b/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--d2ae8df0-e6b3-478c-8fb2-f1ce78bc6697", + "id": "bundle--e76628fd-f94e-441a-bd91-6cee5b274981", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:02.197Z", "name": "Monitor Process State", "description": "Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.", "kill_chain_phases": [ @@ -19,11 +19,7 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Control Server", - "Data Historian", - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ diff --git a/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json b/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json index d89f027725..41083c1fce 100644 --- a/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json +++ b/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--efe8aaea-4832-4d06-b988-5040f3497c3d", + "id": "bundle--d515597f-bd38-4c7b-81c9-80626014c588", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:02.398Z", "name": "Scripting", "description": "Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions. \n\nIn addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.", "kill_chain_phases": [ @@ -22,15 +22,15 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Engineering Workstation" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ "Command: Command Execution", - "Script: Script Execution", - "Module: Module Load", "Process: Process Creation", - "Process: Process Metadata" + "Process: Process Metadata", + "Module: Module Load", + "Script: Script Execution" ], "type": "attack-pattern", "id": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", diff --git a/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json b/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json index 505ac945c3..32da430825 100644 --- a/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json +++ b/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--6eb77e7b-d8d4-4e91-9dfb-0206a378e19b", + "id": "bundle--57f9f76f-e768-422c-9269-e21104866d72", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-17T15:14:31.276Z", + "modified": "2023-10-13T17:57:02.595Z", "name": "Remote System Information Discovery", "description": "An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system's operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the system's configuration may be used to scope subsequent technique usage. \n\nRequests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the system's API.", "kill_chain_phases": [ @@ -13,22 +13,23 @@ "phase_name": "discovery" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "File: File Access", + "Network Traffic: Network Traffic Flow", "Network Traffic: Network Traffic Content", - "Process: Process Creation", - "Network Traffic: Network Traffic Flow" + "File: File Access", + "Process: Process Creation" ], "type": "attack-pattern", "id": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", @@ -44,9 +45,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json b/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json index 6fb6563242..860100a029 100644 --- a/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json +++ b/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--7fff60d2-1494-45a4-b6d4-41f4752a1a0f", + "id": "bundle--6aaf18cc-4128-46a6-8138-ba1899089064", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:02.785Z", "name": "Program Upload", "description": "Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.", "kill_chain_phases": [ @@ -19,14 +19,13 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Safety Instrumented System/Protection Relay", - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", - "Application Log: Application Log Content", - "Network Traffic: Network Traffic Flow" + "Network Traffic: Network Traffic Flow", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", diff --git a/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json b/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json index 6cd63d0d04..6166ad84e3 100644 --- a/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json +++ b/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--e9af4f20-7498-4494-9a89-254cdacd2e87", + "id": "bundle--89329e9b-a0f1-4134-844d-eaf2f2d10a64", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:02.990Z", "name": "Exploit Public-Facing Application", "description": "Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility.\n\nAn adversary may seek to target public-facing applications as they may provide direct access into an ICS environment or the ability to move into the ICS network. Publicly exposed applications may be found through online tools that scan the internet for open ports and services. Version numbers for the exposed application may provide adversaries an ability to target specific known vulnerabilities. Exposed control protocol or remote access ports found in Commonly Used Port may be of interest by adversaries.", "kill_chain_phases": [ @@ -22,7 +22,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ diff --git a/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json b/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json index 0dc9a598ec..723beccf31 100644 --- a/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json +++ b/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--bd059675-85da-44b7-9626-4cd8b56df0c2", + "id": "bundle--844863b7-72b9-48ac-bd81-09158e314026", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T19:09:43.744Z", + "modified": "2023-10-13T17:57:03.187Z", "name": "Data from Information Repositories", "description": "Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)\n\nInformation collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.\n\nIn a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", "kill_chain_phases": [ @@ -13,20 +13,22 @@ "phase_name": "collection" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Data Historian" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ - "Application Log: Application Log Content", "Logon Session: Logon Session Creation", - "Network Share: Network Share Access" + "Network Share: Network Share Access", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", @@ -52,9 +54,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json b/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json index 4204b55b25..b00456d0e9 100644 --- a/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json +++ b/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--cd203f45-ac36-46e5-ad78-cca9738aa832", + "id": "bundle--7212385f-f32f-4059-a128-f36b72925d3c", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:19:41.272Z", + "modified": "2023-10-13T17:57:03.395Z", "name": "Transient Cyber Asset", "description": "Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: North American Electric Reliability Corporation June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required. \n\nAdversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices. \n\nTransient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems. ", "kill_chain_phases": [ @@ -13,19 +13,21 @@ "phase_name": "initial-access" } ], + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Engineering Workstation" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ - "Application Log: Application Log Content", - "Network Traffic: Network Traffic Flow" + "Network Traffic: Network Traffic Flow", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", @@ -41,14 +43,12 @@ { "source_name": "North American Electric Reliability Corporation June 2021", "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ", - "url": "https://www.nerc.com/files/glossary_of_terms.pdf" + "url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json b/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json index ca93333c52..15f86f3ec7 100644 --- a/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json +++ b/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--3e560487-f16a-48a7-ae9f-13b293971547", + "id": "bundle--5ff229aa-a5f6-44e1-8d29-8855718faa4a", "spec_version": "2.0", "objects": [ { - "modified": "2022-10-20T20:46:11.459Z", + "modified": "2023-10-13T17:57:03.589Z", "name": "Manipulate I/O Image", "description": "Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. (Citation: Dr. Kelvin T. Erickson December 2010) During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules. \n\nOne of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.", "kill_chain_phases": [ @@ -13,15 +13,17 @@ "phase_name": "inhibit-response-function" } ], - "x_mitre_detection": "", - "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" - ], - "x_mitre_is_subtechnique": false, + "x_mitre_attack_spec_version": "2.1.0", "x_mitre_deprecated": false, + "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Asset: Software" @@ -50,9 +52,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json b/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json index 401bb9e3b2..7fbdc015fa 100644 --- a/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json +++ b/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--50835840-9f10-4567-bfd4-7d3ff7b0cdce", + "id": "bundle--5003fad9-0097-4eef-be48-a90525663622", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:03.783Z", "name": "Network Sniffing", "description": "Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information. \n\nAn adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis. \n\nIn addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.", "kill_chain_phases": [ @@ -22,12 +22,12 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Command: Command Execution", - "Process: Process Creation" + "Process: Process Creation", + "Command: Command Execution" ], "type": "attack-pattern", "id": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", diff --git a/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json b/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json index 1bd102d4fb..27d0084b9d 100644 --- a/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json +++ b/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--9d54ffc4-b169-424b-9f29-518fa793576b", + "id": "bundle--dcd4a567-21b2-48f4-831d-a67a76d45450", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:03.989Z", "name": "Rootkit", "description": "Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. (Citation: Enterprise ATT&CK January 2018) \n\nFirmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for the I/O that is attached to an asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable [Impact](https://attack.mitre.org/tactics/TA0105).", "kill_chain_phases": [ @@ -26,7 +26,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ diff --git a/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json b/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json index 55e3c06cc7..2714387d5c 100644 --- a/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json +++ b/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--7a0d17a9-bef3-48a7-a33e-cae0ef517ab2", + "id": "bundle--982d9543-ab67-40c9-885b-3e9fe5c9e029", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:04.179Z", "name": "Automated Collection", "description": "Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.", "kill_chain_phases": [ @@ -19,16 +19,14 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay", - "Control Server" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Command: Command Execution", "Script: Script Execution", - "Network Traffic: Network Traffic Content", - "File: File Access" + "Command: Command Execution", + "File: File Access", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", diff --git a/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json b/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json index a0dea8428f..be018183fd 100644 --- a/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json +++ b/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--f6d16847-c988-4df9-ba31-13b7959c8889", + "id": "bundle--1f632618-a5b1-4c7f-8a9b-fcb4d20e4468", "spec_version": "2.0", "objects": [ { - "modified": "2022-09-19T13:57:23.538Z", + "modified": "2023-10-13T17:57:04.376Z", "name": "Block Reporting Message", "description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "kill_chain_phases": [ @@ -13,23 +13,23 @@ "phase_name": "inhibit-response-function" } ], - "x_mitre_detection": "", - "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Input/Output Server", - "Device Configuration/Parameters" - ], - "x_mitre_is_subtechnique": false, + "x_mitre_attack_spec_version": "2.1.0", "x_mitre_deprecated": false, + "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ + "Operational Databases: Process/Event Alarm", + "Process: Process Termination", "Application Log: Application Log Content", "Network Traffic: Network Traffic Flow", - "Process: Process Termination", - "Operational Databases: Process/Event Alarm", "Operational Databases: Process History/Live Data" ], "type": "attack-pattern", @@ -56,9 +56,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json b/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json index d4aaa6850a..73aa91c093 100644 --- a/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json +++ b/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--56e3ebbf-7eb3-498b-881c-793166934b3e", + "id": "bundle--992338c9-86ff-4433-8399-8d855da54fc9", "spec_version": "2.0", "objects": [ { - "modified": "2023-04-05T14:16:02.811Z", + "modified": "2023-10-13T17:57:04.582Z", "name": "Unauthorized Command Message", "description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)", "kill_chain_phases": [ @@ -13,22 +13,24 @@ "phase_name": "impair-process-control" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Flow", + "Operational Databases: Process History/Live Data", "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", "Operational Databases: Process/Event Alarm", - "Network Traffic: Network Traffic Content", - "Operational Databases: Process History/Live Data" + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", @@ -59,9 +61,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json b/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json index a8703c8148..b6981f3b01 100644 --- a/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json +++ b/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--bd332482-b2a5-4c17-82d9-f624d1805650", + "id": "bundle--8020d7d7-eaa6-4157-83b2-432439b25d06", "spec_version": "2.0", "objects": [ { - "modified": "2022-09-19T14:12:22.878Z", + "modified": "2023-10-13T17:57:04.784Z", "name": "Data Destruction", "description": "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)\n\nData destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident.\n\nStandard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.", "kill_chain_phases": [ @@ -13,26 +13,26 @@ "phase_name": "inhibit-response-function" } ], - "x_mitre_detection": "", - "x_mitre_platforms": [ - "Control Server", - "Human-Machine Interface", - "Field Controller/RTU/PLC/IED" - ], - "x_mitre_is_subtechnique": false, - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", "x_mitre_contributors": [ "Matan Dobrushin - Otorio" ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "File: File Deletion", "File: File Modification", - "Command: Command Execution", - "Process: Process Creation" + "Process: Process Creation", + "File: File Deletion", + "Command: Command Execution" ], "type": "attack-pattern", "id": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", @@ -53,9 +53,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json b/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json index 9fd0802ccc..ca6a890deb 100644 --- a/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json +++ b/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--b1845aff-a0bf-4b99-895f-ef0d33972822", + "id": "bundle--466c4ad1-c97b-4e86-9081-2f4d2dda25c1", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:04.993Z", "name": "Manipulation of View", "description": "Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nOperators may be fooled into doing something that is harmful to the system in a loss of view situation. With a manipulated view into the systems, operators may issue inappropriate control sequences that introduce faults or catastrophic failures into the system. Business analysis systems can also be provided with inaccurate data leading to bad management decisions.", "kill_chain_phases": [ @@ -22,9 +22,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Engineering Workstation", - "Human-Machine Interface", - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.0", "type": "attack-pattern", diff --git a/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json b/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json index 8441e3c0ed..c89a692f00 100644 --- a/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json +++ b/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--09baf50c-8d59-4c7e-8229-1d4c6bb0b379", + "id": "bundle--7bffd1d4-f28c-4daa-ad0d-19e3b1d26f58", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json b/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json index d9a2dbea90..54daf68687 100644 --- a/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json +++ b/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--104c8763-a3a0-47f3-a59a-8366a2355f2d", + "id": "bundle--5b8ec28f-a739-4b89-adb0-324f121b79c8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json b/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json index 22862bb3af..8b8fff045e 100644 --- a/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json +++ b/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--d1797562-ffd4-47d2-9eb3-ffa812c27be3", + "id": "bundle--bd677869-f340-431a-ad6e-5ca1e6f17b09", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:05.190Z", "name": "Indicator Removal on Host", "description": "Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.", "kill_chain_phases": [ @@ -19,19 +19,18 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ + "Command: Command Execution", "Process: OS API Execution", + "Windows Registry: Windows Registry Key Modification", "File: File Metadata", "Windows Registry: Windows Registry Key Deletion", + "File: File Deletion", "File: File Modification", - "Command: Command Execution", - "Windows Registry: Windows Registry Key Modification", - "Process: Process Creation", - "File: File Deletion" + "Process: Process Creation" ], "type": "attack-pattern", "id": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", diff --git a/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json b/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json index 2d19ea2d80..f66766de07 100644 --- a/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json +++ b/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--431176ba-d425-47d7-9f05-51d546b2ba62", + "id": "bundle--d56a30dd-997c-42c0-8eca-7b6b1281ff56", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:05.375Z", "name": "I/O Image", "description": "Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.\n\nThe Input and Output Image tables described above make up the I/O Image on a PLC. This image is used by the user program instead of directly interacting with physical I/O. (Citation: Spenneberg, Ralf 2016) \n\nAdversaries may collect the I/O Image state of a PLC by utilizing a devices [Native API](https://attack.mitre.org/techniques/T0834) to access the memory regions directly. The collection of the PLCs I/O state could be used to replace values or inform future stages of an attack.", "kill_chain_phases": [ @@ -22,7 +22,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ diff --git a/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json b/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json index b1550c5d18..599bb1db3c 100644 --- a/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json +++ b/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--4113ee5d-0eb1-4d5b-a51b-a72b1fc15b28", + "id": "bundle--41e7d60a-233a-4805-a996-a1813d98ed33", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:16:25.031Z", + "modified": "2023-10-13T17:57:05.576Z", "name": "Denial of View", "description": "Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAn adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. ", "kill_chain_phases": [ @@ -13,12 +13,14 @@ "phase_name": "impact" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "None" ], @@ -52,9 +54,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json b/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json index 5c2b088224..4f8e4796ec 100644 --- a/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json +++ b/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--8f4749a1-5360-4d0a-8ab7-d85f7797039b", + "id": "bundle--990c3c1f-5d9d-4c8e-9c59-0c9ea1eb5c09", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:05.776Z", "name": "Execution through API", "description": "Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software.", "kill_chain_phases": [ @@ -22,7 +22,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ diff --git a/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json b/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json index 0d031fff8d..a74245c344 100644 --- a/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json +++ b/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--c569336f-0805-4abe-90cf-4520a8c58ed8", + "id": "bundle--96e709cd-f3d2-4e53-a2f4-866b8a01d7cd", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:05.975Z", "name": "Supply Chain Compromise", "description": "Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment. \n\nSupply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment. \n\nCounterfeit devices may be introduced to the global supply chain posing safety and cyber risks to asset owners and operators. These devices may not meet the safety, engineering and manufacturing requirements of regulatory bodies but may feature tagging indicating conformance with industry standards. Due to the lack of adherence to standards and overall lesser quality, the counterfeit products may pose a serious safety and operational risk. (Citation: Control Global May 2019) \n\nYokogawa identified instances in which their customers received counterfeit differential pressure transmitters using the Yokogawa logo. The counterfeit transmitters were nearly indistinguishable with a semblance of functionality and interface that mimics the genuine product. (Citation: Control Global May 2019) \n\nF-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).", "kill_chain_phases": [ @@ -22,12 +22,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Data Historian", - "Field Controller/RTU/PLC/IED", - "Human-Machine Interface", - "Input/Output Server", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ diff --git a/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json b/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json index 3d877d18cf..76bbdcfb86 100644 --- a/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json +++ b/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a07277a9-3fa8-4c60-bca4-34c93b05494e", + "id": "bundle--c67f89a1-a5fb-48af-a05a-ff69491ca9c5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json b/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json index a441fd65ce..f899b995e8 100644 --- a/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json +++ b/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--fd2d8ca2-b5a3-4ecf-9aaa-7368d0ff80c3", + "id": "bundle--219dcbd4-50ae-49e6-aad8-4d9ea99177bf", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:06.171Z", "name": "Loss of Safety", "description": "Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner. \n\nMany unsafe conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable safety system functions as a prerequisite to subsequent attack execution or to allow for future unsafe conditionals to go unchecked. Detection of a Loss of Safety by operators can result in the shutdown of a process due to strict policies regarding safety systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.", "kill_chain_phases": [ diff --git a/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json b/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json index c29eb098dd..1485b37e00 100644 --- a/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json +++ b/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--d0a9d581-2c34-4153-868d-6dc6d88e12e0", + "id": "bundle--639815c9-0970-4753-b6ee-452f3b40bade", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:06.362Z", "name": "Loss of Productivity and Revenue", "description": "Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. \n\nIn cases where these operations or services are brought to a halt, the loss of productivity may eventually present an impact for the end-users or consumers of products and services. The disrupted supply-chain may result in supply shortages and increased prices, among other consequences. \n\nA ransomware attack on an Australian beverage company resulted in the shutdown of some manufacturing sites, including precautionary halts to protect key systems. (Citation: Paganini, Pierluigi June 2020) The company announced the potential for temporary shortages of their products following the attack. (Citation: Paganini, Pierluigi June 2020) (Citation: Lion Corporation June 2020) \n\nIn the 2021 Colonial Pipeline ransomware incident, the pipeline was unable to transport approximately 2.5 million barrels of fuel per day to the East Coast. (Citation: Colonial Pipeline Company May 2021)", "kill_chain_phases": [ diff --git a/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json b/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json index 70af5f2e76..4b26e9edd8 100644 --- a/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json +++ b/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--c4d92fce-374c-4d96-b456-3accab472cd3", + "id": "bundle--83fd4988-2a1e-4e48-b8fc-906c11c4265a", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:06.577Z", "name": "Spearphishing Attachment", "description": "Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", "kill_chain_phases": [ @@ -22,17 +22,14 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Engineering Workstation", - "Human-Machine Interface", - "Control Server", - "Data Historian" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", + "Process: Process Creation", "File: File Creation", - "Application Log: Application Log Content", - "Process: Process Creation" + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", diff --git a/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json b/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json index 281191747c..db8facf3f0 100644 --- a/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json +++ b/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--90a37c1b-68a3-4747-a1c3-89e60d087f1b", + "id": "bundle--5c291e62-27da-4919-978a-bcf76be46f0b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json b/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json index 395c4cd206..23ea28aa24 100644 --- a/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json +++ b/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--6fcfe567-df5d-4ad4-9d76-87de8dd321be", + "id": "bundle--7caff6e1-ac28-4f3e-bf51-a2268eceeb33", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:06.780Z", "name": "Drive-by Compromise", "description": "Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. \n\nThe adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. \n\nThe National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. (Citation: Cybersecurity & Infrastructure Security Agency March 2018) Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.", "kill_chain_phases": [ @@ -26,11 +26,11 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Process: Process Creation", - "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", + "Process: Process Creation", "File: File Creation", - "Network Traffic: Network Traffic Content" + "Network Traffic: Network Connection Creation" ], "type": "attack-pattern", "id": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", diff --git a/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json b/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json index 6e89ddf479..dc4665b5c8 100644 --- a/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json +++ b/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--e7dde92e-8291-4f3f-80a4-5fec06f5430a", + "id": "bundle--cd46d5e4-94f9-49b0-a30b-497113288daf", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:14:42.829Z", + "modified": "2023-10-13T17:57:06.993Z", "name": "Damage to Property", "description": "Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828). \n\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008)", "kill_chain_phases": [ @@ -13,12 +13,14 @@ "phase_name": "impact" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "None" ], @@ -57,9 +59,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json b/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json index 2561e5c946..161425aeb0 100644 --- a/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json +++ b/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--e2738638-e91c-468e-9608-bf3c534fd0f9", + "id": "bundle--069c385d-841c-4c4a-acff-a22afe69b0ef", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:19:14.351Z", + "modified": "2023-10-13T17:57:07.260Z", "name": "Spoof Reporting Message", "description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. \n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) ", "kill_chain_phases": [ @@ -17,21 +17,23 @@ "phase_name": "impair-process-control" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ - "Windows Registry: Windows Registry Key Modification", - "Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow", - "Operational Databases: Device Alarm" + "Operational Databases: Device Alarm", + "Windows Registry: Windows Registry Key Modification", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", @@ -52,9 +54,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json b/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json index 59f347c6fa..7aa6a5006c 100644 --- a/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json +++ b/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--7aa08273-52b9-4b82-b3f6-617ed4d9e06d", + "id": "bundle--4f9e02b0-76af-441d-9e9d-dc98c40cab52", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:07.457Z", "name": "Exploitation of Remote Services", "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. (Citation: Enterprise ATT&CK)\n\nICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (wormable) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts. (Citation: Joe Slowik April 2019)", "kill_chain_phases": [ @@ -26,9 +26,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Data Historian", - "Engineering Workstation" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ diff --git a/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json b/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json index 359271b821..b0fe7ccd53 100644 --- a/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json +++ b/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--b7ba66ba-494c-478e-b1a3-cdf6de52f89f", + "id": "bundle--2a989f5b-d0d1-44c3-9631-6f08906d7e2e", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:07.653Z", "name": "Default Credentials", "description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.", "kill_chain_phases": [ @@ -22,16 +22,12 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay", - "Control Server", - "Engineering Workstation" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Logon Session: Logon Session Creation", - "Network Traffic: Network Traffic Content" + "Network Traffic: Network Traffic Content", + "Logon Session: Logon Session Creation" ], "type": "attack-pattern", "id": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", diff --git a/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json b/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json index bb8e32f41f..f0f90b547d 100644 --- a/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json +++ b/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--ef731c50-a798-451f-bad0-df5e40189e73", + "id": "bundle--19799421-3ecf-4ac9-9feb-48314890eb06", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:16:55.602Z", + "modified": "2023-10-13T17:57:07.840Z", "name": "External Remote Services", "description": "Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire)\n\nExternal remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. \n\nAs they look for an entry point into the control system network, adversaries may begin searching for existing point-to-point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)\n", "kill_chain_phases": [ @@ -13,21 +13,22 @@ "phase_name": "initial-access" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Input/Output Server" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", "Logon Session: Logon Session Metadata", - "Network Traffic: Network Traffic Flow" + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", @@ -53,9 +54,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json b/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json index 28c80fe0e3..441ee2cfe0 100644 --- a/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json +++ b/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--30d736b6-02a2-4192-9180-1bc91974058e", + "id": "bundle--3b07a62a-ccac-4cae-b298-968a0bc44221", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-29T16:17:27.903Z", + "modified": "2023-10-13T17:57:08.037Z", "name": "Brute Force I/O", "description": "Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point. \n\nAdversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment or damage to downstream equipment.", "kill_chain_phases": [ @@ -13,20 +13,21 @@ "phase_name": "impair-process-control" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Application Log: Application Log Content", "Operational Databases: Process History/Live Data", + "Application Log: Application Log Content", "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", @@ -43,9 +44,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json b/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json index 2dfd5a08a0..e9d0448351 100644 --- a/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json +++ b/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b8f0d777-2c46-4ca4-889c-5a6c2bfb4dce", + "id": "bundle--6f367179-d960-4b9b-bc5f-669ce239e455", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json b/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json index 68f7edaa69..00aba7c354 100644 --- a/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json +++ b/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--e94c0411-193f-4125-9eca-bdf4137bd992", + "id": "bundle--048f9aac-72ea-4614-8281-a2d4038d7ad3", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:08.233Z", "name": "Adversary-in-the-Middle", "description": "Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks. (Citation: Gabriel Sanchez October 2017) This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a AiTM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) \n\nAn AiTM attack may allow an adversary to perform the following attacks: \n[Block Reporting Message](https://attack.mitre.org/techniques/T0804), [Spoof Reporting Message](https://attack.mitre.org/techniques/T0856), [Modify Parameter](https://attack.mitre.org/techniques/T0836), [Unauthorized Command Message](https://attack.mitre.org/techniques/T0855)", "kill_chain_phases": [ @@ -25,18 +25,16 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Field Controller/RTU/PLC/IED", - "Human-Machine Interface" + "None" ], "x_mitre_version": "2.0", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", "Windows Registry: Windows Registry Key Modification", - "Service: Service Creation", - "Application Log: Application Log Content", + "Process: Process Creation", "Network Traffic: Network Traffic Flow", - "Process: Process Creation" + "Service: Service Creation", + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", diff --git a/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json b/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json index 57dabfa7b4..b55af7bee8 100644 --- a/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json +++ b/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--19652c3e-f3ae-4889-8ecb-5d3b79be5cb3", + "id": "bundle--0eb5fb9c-b99e-42c4-86f2-9f00a26db0ec", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:08.425Z", "name": "Exploitation for Evasion", "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. \n\nAdversaries may have prior knowledge through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888) about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious [System Firmware](https://attack.mitre.org/techniques/T0857).", "kill_chain_phases": [ @@ -22,8 +22,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Safety Instrumented System/Protection Relay", - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ diff --git a/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json b/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json index 3ac0872559..79460f438d 100644 --- a/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json +++ b/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--853fdbb2-8d3f-4b90-a75c-ac8549b0e566", + "id": "bundle--fa37a80c-329c-4936-8d63-a24acd7ce524", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:08.613Z", "name": "Loss of Control", "description": "Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report.(Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace.", "kill_chain_phases": [ diff --git a/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json b/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json index 1f050455bb..6433587891 100644 --- a/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json +++ b/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--02373bd0-2884-45ee-968c-1206cda5aab2", + "id": "bundle--f2358b1a-c877-447e-bbc3-abed2cea6609", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json b/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json index 93473ba7ac..03d30d67b6 100644 --- a/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json +++ b/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--16ee109f-a60c-4abb-8341-abf69cad8954", + "id": "bundle--57bb7faa-71ab-4044-ba42-e5b560b1f0da", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-13T13:32:08.619Z", + "modified": "2023-10-13T17:57:08.803Z", "name": "Hooking", "description": "Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK)\n\nOne type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process IAT, where pointers to imported API functions are stored. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "kill_chain_phases": [ @@ -17,19 +17,21 @@ "phase_name": "privilege-escalation" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Engineering Workstation" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ - "Process: Process Metadata", - "Process: OS API Execution" + "Process: OS API Execution", + "Process: Process Metadata" ], "type": "attack-pattern", "id": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", @@ -55,9 +57,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json b/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json index a0aff59be7..d738c9f00a 100644 --- a/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json +++ b/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--64422d00-2f11-45e6-a901-02726445ba58", + "id": "bundle--2256a317-50d4-40ba-88e6-2c5cf6a8b705", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json b/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json index 9f28911a64..5c3629c14b 100644 --- a/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json +++ b/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6f0490d6-64a2-4552-b9fe-cdba1777d4ff", + "id": "bundle--a2e8851a-7769-4948-a7d9-4f33c2c3483d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json b/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json index ca6c6a08bd..d72656ce61 100644 --- a/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json +++ b/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--eaa0742b-7274-4d70-ada8-c75d470e9d2a", + "id": "bundle--a0382d50-d0af-4020-8d5a-2a8f0e70d93f", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:08.992Z", "name": "Graphical User Interface", "description": "Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.\n\nIf physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.", "kill_chain_phases": [ @@ -22,14 +22,14 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Module: Module Load", + "Process: Process Creation", "Command: Command Execution", - "Logon Session: Logon Session Creation", - "Process: Process Creation" + "Module: Module Load", + "Logon Session: Logon Session Creation" ], "type": "attack-pattern", "id": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", diff --git a/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json b/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json index 5bd21308d1..56634689eb 100644 --- a/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json +++ b/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--4bc222f7-bbc4-4fe5-b896-fc0b7048b535", + "id": "bundle--66cbc60a-93db-451e-9bd4-713201430f84", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:18:41.277Z", + "modified": "2023-10-13T17:57:09.193Z", "name": "Rogue Master", "description": "Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection. \n\nIn the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. (Citation: Bastille April 2017) (Citation: Zack Whittaker April 2017)", "kill_chain_phases": [ @@ -13,24 +13,24 @@ "phase_name": "initial-access" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Control Server", - "Engineering Workstation" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ + "Asset: Asset Inventory", "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Traffic Content", - "Application Log: Application Log Content", "Operational Databases: Device Alarm", - "Asset: Asset Inventory" + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", @@ -56,9 +56,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json b/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json index 6a50b791ca..ee677e35a6 100644 --- a/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json +++ b/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--00606419-ba73-4949-8e2d-72f65e213000", + "id": "bundle--c6f05f8f-3742-4e7b-8121-111ec2e82a10", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:09.388Z", "name": "Native API", "description": "Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. (Citation: The MITRE Corporation May 2017) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. \n\nFunctionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as memcpy and direct operations on memory registers can be used to modify user and system memory space.", "kill_chain_phases": [ @@ -22,12 +22,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Data Historian", - "Field Controller/RTU/PLC/IED", - "Human-Machine Interface", - "Input/Output Server", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ diff --git a/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json b/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json index e6299f101c..abdd15ea86 100644 --- a/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json +++ b/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--b9eb05e2-f6bd-44ba-b56b-cbc19b9a3cd5", + "id": "bundle--c53e32b3-e085-4cfa-b371-d11d4dc2c28d", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:09.581Z", "name": "Loss of Availability", "description": "Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAdversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases.\n\nIn the 2021 Colonial Pipeline ransomware incident, pipeline operations were temporally halted on May 7th and were not fully restarted until May 12th. (Citation: Colonial Pipeline Company May 2021)", "kill_chain_phases": [ diff --git a/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json b/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json index d819c76538..21a5e65c54 100644 --- a/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json +++ b/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--2b49e85d-5e42-4341-9d3f-41783b849af7", + "id": "bundle--76da32b3-11fd-454a-a0c6-44f6f9b428f0", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:09.780Z", "name": "Theft of Operational Information", "description": "Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)", "kill_chain_phases": [ diff --git a/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json b/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json index 058a995be7..97183fcda6 100644 --- a/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json +++ b/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--b4312a29-3263-4291-a245-0f7334977be8", + "id": "bundle--372fee30-fca3-4e10-9846-4f5c1c4e3d9f", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:09.988Z", "name": "System Firmware", "description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. \n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. (Citation: Basnight, Zachry, et al.)", "kill_chain_phases": [ @@ -26,14 +26,12 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Safety Instrumented System/Protection Relay", - "Field Controller/RTU/PLC/IED", - "Input/Output Server" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Application Log: Application Log Content", "Operational Databases: Device Alarm", + "Application Log: Application Log Content", "Firmware: Firmware Modification", "Network Traffic: Network Traffic Content" ], diff --git a/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json b/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json index a4dec22c79..81f5039694 100644 --- a/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json +++ b/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--c4ab8b27-b857-43c5-9754-159394b6a29a", + "id": "bundle--1f3b8a2b-4628-4d03-9a5b-4d211f4c65d1", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:10.181Z", "name": "Masquerading", "description": "Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. \n\nApplications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.", "kill_chain_phases": [ @@ -22,19 +22,18 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Control Server" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Scheduled Job: Scheduled Job Creation", "Service: Service Creation", - "Command: Command Execution", "File: File Modification", - "Service: Service Modification", "Process: Process Metadata", + "Command: Command Execution", + "Scheduled Job: Scheduled Job Modification", + "Service: Service Modification", "File: File Metadata", - "Scheduled Job: Scheduled Job Modification" + "Scheduled Job: Scheduled Job Creation" ], "type": "attack-pattern", "id": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", diff --git a/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json b/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json index dc3dce7a8a..4e47fec7fe 100644 --- a/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json +++ b/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--99cca7a3-7894-4a3b-bf46-e95b57711886", + "id": "bundle--459b26b7-7e03-49f4-aae4-ae7b014d48d4", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:10.374Z", "name": "Program Download", "description": "Adversaries may perform a program download to transfer a user program to a controller. \n\nVariations of program download, such as online edit and program append, allow a controller to continue running during the transfer and reconfiguration process without interruption to process control. However, before starting a full program download (i.e., download all) a controller may need to go into a stop state. This can have negative consequences on the physical process, especially if the controller is not able to fulfill a time-sensitive action. Adversaries may choose to avoid a download all in favor of an online edit or program append to avoid disrupting the physical process. An adversary may need to use the technique Detect Operating Mode or Change Operating Mode to make sure the controller is in the proper mode to accept a program download.\n\nThe granularity of control to transfer a user program in whole or parts is dictated by the management protocol (e.g., S7CommPlus, TriStation) and underlying controller API. Thus, program download is a high-level term for the suite of vendor-specific API calls used to configure a controllers user program memory space. \n\n[Modify Controller Tasking](https://attack.mitre.org/techniques/T0821) and [Modify Program](https://attack.mitre.org/techniques/T0889) represent the configuration changes that are transferred to a controller via a program download.", "kill_chain_phases": [ @@ -22,15 +22,14 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ + "Operational Databases: Device Alarm", "Network Traffic: Network Traffic Content", "Asset: Asset Inventory", - "Application Log: Application Log Content", - "Operational Databases: Device Alarm" + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", diff --git a/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json b/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json index a936064ebb..9eed801f25 100644 --- a/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json +++ b/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--1feedcd4-6b17-4200-8d79-1dd0c6d7ab90", + "id": "bundle--cf1267b3-316d-454a-8f95-267efee6652b", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:10.581Z", "name": "Replication Through Removable Media", "description": "Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible. \n\nOperators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. (Citation: Kernkraftwerk Gundremmingen April 2016) (Citation: Trend Micro April 2016) The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. (Citation: Christoph Steitz, Eric Auchard April 2016) (Citation: Catalin Cimpanu April 2016) (Citation: Peter Dockrill April 2016) (Citation: Lee Mathews April 2016) (Citation: Sean Gallagher April 2016) (Citation: Dark Reading Staff April 2016) The plant has since checked for infection and cleaned up more than 1,000 computers. (Citation: BBC April 2016) An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution. (Citation: ESET April 2016)", "kill_chain_phases": [ @@ -22,16 +22,14 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Data Historian", - "Control Server" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ "Process: Process Creation", "File: File Creation", - "File: File Access", - "Drive: Drive Creation" + "Drive: Drive Creation", + "File: File Access" ], "type": "attack-pattern", "id": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", diff --git a/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json b/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json index b34be6fb41..40ed28275a 100644 --- a/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json +++ b/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--22219393-df8a-4029-8993-78c9e69e1c2a", + "id": "bundle--ac0445c5-0978-4f7f-9809-68815c7d6450", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:10.768Z", "name": "Screen Capture", "description": "Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. (Citation: ICS-CERT October 2017) Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.", "kill_chain_phases": [ @@ -19,7 +19,7 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ diff --git a/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json b/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json index a843015adc..9379922fac 100644 --- a/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json +++ b/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--c26a2f01-7ea4-4f37-8897-7f5a6a2f8063", + "id": "bundle--45f85257-0177-4d53-a52a-b64a85e9a643", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:10.962Z", "name": "Hardcoded Credentials", "description": "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:\n\n* Username/Passwords\n* Cryptographic keys/Certificates\n* API tokens\n\nUnlike [Default Credentials](https://attack.mitre.org/techniques/T0812), these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset. \n\nAdversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets. \n", "kill_chain_phases": [ @@ -29,12 +29,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay", - "Control Server", - "Data Historian", - "Human-Machine Interface", - "Engineering Workstation" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ diff --git a/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json b/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json index edd5689fd8..cbb0495069 100644 --- a/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json +++ b/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--dffc66e0-2db0-4196-bc70-bfac809a6493", + "id": "bundle--af50409d-5655-4199-8caf-01056210caa4", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:11.152Z", "name": "Valid Accounts", "description": "Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. \n\nAdversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. (Citation: Booz Allen Hamilton) \n\nThe overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system.", "kill_chain_phases": [ @@ -26,19 +26,13 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Data Historian", - "Engineering Workstation", - "Field Controller/RTU/PLC/IED", - "Human-Machine Interface", - "Input/Output Server", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Logon Session: Logon Session Metadata", + "User Account: User Account Authentication", "Logon Session: Logon Session Creation", - "User Account: User Account Authentication" + "Logon Session: Logon Session Metadata" ], "type": "attack-pattern", "id": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", diff --git a/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json b/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json index 93ee04eda0..1779c20783 100644 --- a/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json +++ b/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--af819028-d807-42a7-8a30-35882dc5affb", + "id": "bundle--a4a81df3-f643-4eb6-9760-78bfe8b68f5d", "spec_version": "2.0", "objects": [ { - "modified": "2022-09-27T16:38:58.028Z", + "modified": "2023-10-13T17:57:11.342Z", "name": "Exploitation for Privilege Escalation", "description": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. (Citation: The MITRE Corporation) \n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods. (Citation: The MITRE Corporation)", "kill_chain_phases": [ @@ -13,16 +13,17 @@ "phase_name": "privilege-escalation" } ], - "x_mitre_detection": "", - "x_mitre_platforms": [ - "Human-Machine Interface", - "Safety Instrumented System/Protection Relay" - ], - "x_mitre_is_subtechnique": false, + "x_mitre_attack_spec_version": "2.1.0", "x_mitre_deprecated": false, + "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Application Log: Application Log Content" @@ -46,9 +47,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json b/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json index bdaa8bdb3c..a37fa01ab6 100644 --- a/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json +++ b/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--d5b587a1-5add-4019-bf8b-4135eea22087", + "id": "bundle--6a83da6c-4341-448e-81fa-c5bdee3a97ee", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:11.536Z", "name": "Remote System Discovery", "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)", "kill_chain_phases": [ @@ -22,18 +22,14 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Data Historian", - "Safety Instrumented System/Protection Relay", - "Field Controller/RTU/PLC/IED", - "Human-Machine Interface" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ + "File: File Access", "Process: Process Creation", "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow", - "File: File Access" + "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", diff --git a/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json b/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json index 5e9377a5ba..b99f84ca67 100644 --- a/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json +++ b/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--60a0c521-6245-4620-84e7-79add7b94d67", + "id": "bundle--bd1c266d-20df-4029-b2b5-a754be34e15b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json b/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json index 8bd062b922..e7ecd12809 100644 --- a/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json +++ b/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--c42a6810-78de-4e58-806f-f927fbb41ed2", + "id": "bundle--9aee5339-15f4-4b76-99ce-a7b5fc9c168e", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:11.730Z", "name": "Connection Proxy", "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.\n\nThe definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.\n\nThe network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. (Citation: Enterprise ATT&CK January 2018)", "kill_chain_phases": [ @@ -26,8 +26,8 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Traffic Content" + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", diff --git a/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json b/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json index cafeda8989..a3bc704e2a 100644 --- a/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json +++ b/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--f5d36f91-9cfa-404b-a34e-623a4552cb6e", + "id": "bundle--822eff89-d639-48a2-bd95-643c9a6bfb74", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:11.924Z", "name": "Standard Application Layer Protocol", "description": "Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.", "kill_chain_phases": [ @@ -19,15 +19,12 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Control Server", - "Data Historian", - "Engineering Workstation" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow" + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", diff --git a/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json b/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json index 595f52b41a..3dc19d84fc 100644 --- a/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json +++ b/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--baa2fbf2-5614-4b85-93ae-fd651e01b7df", + "id": "bundle--8d2f4897-6e69-4dd3-abdb-0cc79bfae4c1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json b/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json index ee9dc63f8c..425fa041f7 100644 --- a/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json +++ b/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--82f60307-7461-408b-a5ff-a3fee2b6b31e", + "id": "bundle--6a6129fa-44a2-4e87-acd1-119c601269b9", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:12.125Z", "name": "Remote Services", "description": "Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019) \n\nRemote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) to multiple network segments, and can be used for [Program Download](https://attack.mitre.org/techniques/T0843) or to execute attacks on control devices directly through [Valid Accounts](https://attack.mitre.org/techniques/T0859).\n\nSpecific remote services (RDP & VNC) may be a precursor to enable [Graphical User Interface](https://attack.mitre.org/techniques/T0823) execution on devices such as HMIs or engineering workstation software.\n\nBased on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", "kill_chain_phases": [ @@ -29,19 +29,17 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Engineering Workstation", - "Human-Machine Interface", - "Control Server" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow", "Module: Module Load", - "Network Share: Network Share Access", - "Process: Process Creation", "Logon Session: Logon Session Creation", + "Process: Process Creation", + "Command: Command Execution", "Network Traffic: Network Connection Creation", - "Command: Command Execution" + "Network Share: Network Share Access" ], "type": "attack-pattern", "id": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", diff --git a/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json b/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json index ce7cfcbeb6..083d9b7c4a 100644 --- a/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json +++ b/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b72c047f-1768-4622-bfdf-253abd1e2290", + "id": "bundle--f9e3a68a-0b79-4cf0-a104-3586bf994cc4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json b/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json index cb3be80979..6aa999026a 100644 --- a/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json +++ b/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--a2d23f8d-0a4a-4f0b-8270-75256d235ddb", + "id": "bundle--06f9906d-d86f-49c7-a131-b2bd5cb900e4", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:15:14.260Z", + "modified": "2023-10-13T17:57:12.329Z", "name": "Denial of Control", "description": "Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nIn the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters. (Citation: Mark Loveless April 2017)", "kill_chain_phases": [ @@ -13,12 +13,14 @@ "phase_name": "impact" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "None" ], @@ -57,9 +59,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json b/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json index f1827db0d0..4199889d41 100644 --- a/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json +++ b/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--97a2f1d7-e84d-4b11-b011-69b515684193", + "id": "bundle--dc228fd5-77c4-4fc6-83d0-a439ff4cead5", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:17:43.803Z", + "modified": "2023-10-13T17:57:12.528Z", "name": "Modify Alarm Settings", "description": "Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. \n\nIf an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a [Impact](https://attack.mitre.org/tactics/TA0105) could occur. \n\nIn ICS environments, the adversary may have to use [Alarm Suppression](https://attack.mitre.org/techniques/T0878) or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. ", "kill_chain_phases": [ @@ -13,25 +13,23 @@ "phase_name": "inhibit-response-function" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Control Server", - "Safety Instrumented System/Protection Relay", - "Field Controller/RTU/PLC/IED", - "Device Configuration/Parameters" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ "Application Log: Application Log Content", + "Asset: Asset Inventory", "Operational Databases: Process History/Live Data", - "Network Traffic: Network Traffic Content", - "Asset: Asset Inventory" + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", @@ -52,9 +50,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json b/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json index 69dadda481..6346ef0d90 100644 --- a/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json +++ b/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--dd61cc75-878b-4708-84fa-b03934ac6db4", + "id": "bundle--522c4e3c-7dd5-4e74-8f24-8ef0a1a1081d", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:12.723Z", "name": "Commonly Used Port", "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below. \n \n * TCP:80 (HTTP) \n * TCP:443 (HTTPS) \n * TCP/UDP:53 (DNS) \n * TCP:1024-4999 (OPC on XP/Win2k3) \n * TCP:49152-65535 (OPC on Vista and later) \n * TCP:23 (TELNET) \n * UDP:161 (SNMP) \n * TCP:502 (MODBUS) \n * TCP:102 (S7comm/ISO-TSAP) \n * TCP:20000 (DNP3) \n * TCP:44818 (Ethernet/IP)", "kill_chain_phases": [ @@ -25,16 +25,12 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Safety Instrumented System/Protection Relay", - "Field Controller/RTU/PLC/IED", - "Human-Machine Interface", - "Control Server", - "Engineering Workstation" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow" + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", diff --git a/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json b/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json index 63892c305f..0f51af3530 100644 --- a/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json +++ b/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--6ee95260-55f4-4b07-8f60-f4ad92ab1bb8", + "id": "bundle--58664362-2714-4f1d-b62f-5726da46eb50", "spec_version": "2.0", "objects": [ { - "modified": "2023-05-08T18:58:24.092Z", + "modified": "2023-10-13T17:57:12.926Z", "name": "Project File Infection", "description": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev) \n\nAdversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev)", "kill_chain_phases": [ @@ -13,15 +13,16 @@ "phase_name": "persistence" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Engineering Workstation", - "Human-Machine Interface" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ @@ -56,9 +57,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json b/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json index bfa965ce2b..4925604e61 100644 --- a/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json +++ b/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--9bd0d03d-1e61-4876-83e4-e9e9cca8d0b6", + "id": "bundle--0975259a-5dbc-402a-9d5c-9ac7b34542b5", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:13.131Z", "name": "Network Connection Enumeration", "description": "Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat(Citation: Netstat), in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content.", "kill_chain_phases": [ @@ -22,7 +22,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ diff --git a/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json b/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json index 960854e300..000ee3ddc9 100644 --- a/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json +++ b/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--4e6f52f7-0b94-49c3-acb3-49f8c8220716", + "id": "bundle--ef6feb12-96e2-4161-ac93-5203b33b50cb", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:13.327Z", "name": "Lateral Tool Transfer", "description": "Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. (Citation: Enterprise ATT&CK) Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. (Citation: Enterprise ATT&CK)\n\nIn control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.", "kill_chain_phases": [ @@ -22,19 +22,17 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Control Server", - "Data Historian" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", - "Process: Process Creation", - "File: File Creation", - "File: File Metadata", "Network Share: Network Share Access", - "Network Traffic: Network Traffic Flow", - "Command: Command Execution" + "File: File Metadata", + "File: File Creation", + "Network Traffic: Network Traffic Content", + "Command: Command Execution", + "Process: Process Creation", + "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", diff --git a/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json b/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json index 2845b59379..adc1fbb81f 100644 --- a/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json +++ b/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--bd74b813-e55a-4819-adf1-ae7fb3a9260c", + "id": "bundle--5191d7e4-f82a-478f-87fe-f5d63b4d97f9", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:13.531Z", "name": "Module Firmware", "description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. \n\nThis technique is similar to [System Firmware](https://attack.mitre.org/techniques/T0857), but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. (Citation: Daniel Peck, Dale Peterson January 2009) \n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: (Citation: Daniel Peck, Dale Peterson January 2009) \n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. \n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. \n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. \n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. \n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.", "kill_chain_phases": [ @@ -26,14 +26,13 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", - "Application Log: Application Log Content", "Operational Databases: Device Alarm", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", "Firmware: Firmware Modification" ], "type": "attack-pattern", diff --git a/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json b/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json index 6c890043d1..53762d149c 100644 --- a/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json +++ b/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--2a817bbb-9524-4ceb-8264-0ec302ba9309", + "id": "bundle--101dabc7-c0e4-4229-a57e-dcf9bb1aafa6", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:13.719Z", "name": "Internet Accessible Device", "description": "Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through [External Remote Services](https://attack.mitre.org/techniques/T0822). Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T0819) technique.\n\nAdversaries may leverage built in functions for remote access which may not be protected or utilize minimal legacy protections that may be targeted. (Citation: NCCIC January 2014) These services may be discoverable through the use of online scanning tools. \n\nIn the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing. (Citation: NCCIC January 2014) (Citation: Danny Yadron December 2015) (Citation: Mark Thompson March 2016)\n\nIn Trend Micros manufacturing deception operations adversaries were detected leveraging direct internet access to an ICS environment through the exposure of operational protocols such as Siemens S7, Omron FINS, and EtherNet/IP, in addition to misconfigured VNC access. (Citation: Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler)", "kill_chain_phases": [ @@ -22,18 +22,13 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Data Historian", - "Field Controller/RTU/PLC/IED", - "Human-Machine Interface", - "Input/Output Server", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ "Logon Session: Logon Session Metadata", - "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow" + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", diff --git a/ics-attack/attack-pattern/attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5.json b/ics-attack/attack-pattern/attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5.json index dfa90373d9..95249f63e0 100644 --- a/ics-attack/attack-pattern/attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5.json +++ b/ics-attack/attack-pattern/attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--63a71c8f-7a45-4400-9ddc-0131361f55d1", + "id": "bundle--90f7e11a-1874-4e48-a434-1e447bb3d805", "spec_version": "2.0", "objects": [ { - "modified": "2023-04-05T14:14:48.109Z", + "modified": "2023-10-13T17:57:13.921Z", "name": "Data from Local System", "description": "Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.\n\nAdversaries may do this using [Command-Line Interface](https://attack.mitre.org/techniques/T0807) or [Scripting](https://attack.mitre.org/techniques/T0853) techniques to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T0802) on the local system. ", "kill_chain_phases": [ @@ -13,27 +13,24 @@ "phase_name": "collection" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay", - "Control Server", - "Input/Output Server", - "Human-Machine Interface", - "Engineering Workstation" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Command: Command Execution", - "Process: OS API Execution", + "File: File Access", "Process: Process Creation", "Script: Script Execution", - "File: File Access" + "Process: OS API Execution", + "Command: Command Execution" ], "type": "attack-pattern", "id": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", @@ -49,9 +46,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f.json b/ics-attack/attack-pattern/attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f.json index 46034449ed..3993433546 100644 --- a/ics-attack/attack-pattern/attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f.json +++ b/ics-attack/attack-pattern/attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--b2051dfe-26a2-4050-bd67-7aacf6fc8467", + "id": "bundle--8cb5eec3-0beb-4864-80c9-0a6c68330885", "spec_version": "2.0", "objects": [ { - "modified": "2023-04-07T13:40:53.842Z", + "modified": "2023-10-13T17:57:14.123Z", "name": "Change Credential", "description": "Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces.\n\nAn adversary with access to valid or hardcoded credentials could change the credential to prevent future authorized device access. Change Credential may be especially damaging when paired with other techniques such as Modify Program, Data Destruction, or Modify Controller Tasking. In these cases, a device\u2019s configuration may be destroyed or include malicious actions for the process environment, which cannot not be removed through normal device configuration actions. \n\nAdditionally, recovery of the device and original configuration may be difficult depending on the features provided by the device. In some cases, these passwords cannot be removed onsite and may require that the device be sent back to the vendor for additional recovery steps.\n\n\nA chain of incidents occurred in Germany, where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key. (Citation: German BAS Lockout Dec 2021) \n", "kill_chain_phases": [ @@ -13,6 +13,7 @@ "phase_name": "inhibit-response-function" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_contributors": [ "Felix Eberstaller" ], @@ -22,13 +23,14 @@ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", - "Operational Databases: Device Alarm" + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", @@ -49,9 +51,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] } ] } \ No newline at end of file diff --git a/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json b/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json index 8a9c0184d6..ac2f6c2fda 100644 --- a/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json +++ b/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--01b173fc-5561-440a-8380-62198c50ba45", + "id": "bundle--ca29bc1d-4b15-4abd-91ff-c51cedac863f", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-20T17:01:10.138Z", "name": "Modify Program", "description": "Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. \n\nProgram modification encompasses the addition and modification of instructions and logic contained in Program Organization Units (POU) (Citation: IEC February 2013) and similar programming elements found on controllers. This can include, for example, adding new functions to a controller, modifying the logic in existing functions and making new calls from one function to another. \n\nSome programs may allow an adversary to interact directly with the native API of the controller to take advantage of obscure features or vulnerabilities.", "kill_chain_phases": [ @@ -13,23 +13,21 @@ "phase_name": "persistence" } ], - "x_mitre_attack_spec_version": "2.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], - "x_mitre_version": "1.1", + "x_mitre_version": "1.2", "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", "Operational Databases: Device Alarm", "Asset: Software", - "Application Log: Application Log Content", - "Network Traffic: Network Traffic Content" + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", @@ -50,7 +48,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/campaign/campaign--46421788-b6e1-4256-b351-f8beffd1afba.json b/ics-attack/campaign/campaign--46421788-b6e1-4256-b351-f8beffd1afba.json new file mode 100644 index 0000000000..c314befe51 --- /dev/null +++ b/ics-attack/campaign/campaign--46421788-b6e1-4256-b351-f8beffd1afba.json @@ -0,0 +1,47 @@ +{ + "type": "bundle", + "id": "bundle--9df5a124-ff27-41ee-a641-1bca3ce88903", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-10-06T14:05:01.054Z", + "name": "2015 Ukraine Electric Power Attack", + "description": "[2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [BlackEnergy](https://attack.mitre.org/software/S0089) (specifically BlackEnergy3) and [KillDisk](https://attack.mitre.org/software/S0607) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.", + "aliases": [ + "2015 Ukraine Electric Power Attack" + ], + "first_seen": "2015-12-01T05:00:00.000Z", + "last_seen": "2016-01-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Booz Allen Hamilton)", + "x_mitre_last_seen_citation": "(Citation: Booz Allen Hamilton)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "created": "2023-09-27T13:11:52.340Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0028", + "external_id": "C0028" + }, + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ] + } + ] +} \ No newline at end of file diff --git a/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json b/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json index 0a34459a61..2d4111d8da 100644 --- a/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json +++ b/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--56950f2b-d5bb-4ae1-ad11-c4c4c4e088b1", + "id": "bundle--0dcb0e39-eca4-43e8-a10b-4b53e244dd84", "spec_version": "2.0", "objects": [ { - "modified": "2022-10-21T15:56:01.070Z", + "modified": "2023-09-20T22:40:13.147Z", "name": "Oldsmar Treatment Plant Intrusion", "description": "[Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009) was a cyber incident involving a water treatment facility in Florida. During this incident, unidentified threat actors leveraged features of the system to access and modify setpoints for a specific chemical required in the treatment process. The incident was detected immediately and prevented before it could cause any harm to the public.(Citation: Pinellas County Sheriffs Office February 2021)(Citation: CISA AA21-042A Water Treatment Intrusion Feb 2021)(Citation: Dragos Oldsmar Feb 2021)", "aliases": [ @@ -14,7 +14,7 @@ "last_seen": "2021-02-01T05:00:00.000Z", "x_mitre_first_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)", "x_mitre_last_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)", - "x_mitre_deprecated": false, + "x_mitre_deprecated": true, "x_mitre_version": "1.0", "type": "campaign", "id": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", @@ -46,7 +46,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "ics-attack" diff --git a/ics-attack/campaign/campaign--70cab19e-1745-425e-b3db-c02cd5ff157a.json b/ics-attack/campaign/campaign--70cab19e-1745-425e-b3db-c02cd5ff157a.json index 05aebc30f4..3fec6b243d 100644 --- a/ics-attack/campaign/campaign--70cab19e-1745-425e-b3db-c02cd5ff157a.json +++ b/ics-attack/campaign/campaign--70cab19e-1745-425e-b3db-c02cd5ff157a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b27263c2-2c44-42e0-a121-3727560f9b61", + "id": "bundle--2ad2457c-da40-415d-a1e5-5d2a063107dd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json b/ics-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json index 12cb015b7e..6361362898 100644 --- a/ics-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json +++ b/ics-attack/campaign/campaign--aa73efef-1418-4dbe-b43c-87a498e97234.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c8026253-06b2-44ac-98a3-163ddc80355c", + "id": "bundle--a4d77a4d-5e41-4560-b12f-bda8a36b37bd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json b/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json index 4a8f16c369..2821465f0b 100644 --- a/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json +++ b/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--8178d68a-f9a5-417a-b181-6ececab1515e", + "id": "bundle--f7140590-6cca-4215-b56c-ec4989fedc50", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:21.006Z", + "modified": "2023-09-19T21:33:26.200Z", "name": "Application Isolation and Sandboxing", "description": "Restrict the execution of code to a virtual environment on or in-transit to an endpoint system.", "labels": [ "IEC 62443-3-3:2013 - SR 5.4", "IEC 62443-4-2:2019 - CR 5.4", - "NIST SP 800-53 Rev. 4 - SI-3" + "NIST SP 800-53 Rev. 5 - SI-3" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", "created": "2019-06-11T17:06:56.230Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json b/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json index 13d7bc925b..699579b6e3 100644 --- a/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json +++ b/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--3007ab4e-b24a-4606-bf51-0407af48b424", + "id": "bundle--07c64138-a1d7-48e6-b2e5-bdf2c9292b51", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:19.604Z", + "modified": "2023-09-19T21:44:59.425Z", "name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. (Citation: Centre for the Protection of National Infrastructure February 2005)", "labels": [ "IEC 62443-3-3:2013 - SR 5.1", "IEC 62443-4-2:2019 - CR 5.1", - "NIST SP 800-53 Rev. 4 - AC-3; SC-7" + "NIST SP 800-53 Rev. 5 - AC-3; SC-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "created": "2019-06-11T16:33:55.337Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -36,7 +36,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json b/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json index dd95661fd3..b66cd4370c 100644 --- a/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json +++ b/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--7f17af24-33aa-4219-95da-df7069ea1bd3", + "id": "bundle--5be468dd-a94d-4035-858b-b0895eb73b27", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:17.426Z", + "modified": "2023-09-20T13:11:35.668Z", "name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "labels": [ "IEC 62443-3-3:2013 - SR 2.4", "IEC 62443-4-2:2019 - HDR 2.4", - "NIST SP 800-53 Rev. 4 - SC-18" + "NIST SP 800-53 Rev. 5 - SC-18" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", "created": "2019-06-06T20:52:59.206Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517.json b/ics-attack/course-of-action/course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517.json index 8f5378b18f..6ec0d0d088 100644 --- a/ics-attack/course-of-action/course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517.json +++ b/ics-attack/course-of-action/course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517.json @@ -1,18 +1,18 @@ { "type": "bundle", - "id": "bundle--12cb1484-5fe8-4049-b294-7848cdd11c27", + "id": "bundle--8baaf8bb-b415-483a-a3bf-077579cf216e", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-31T19:16:54.636Z", + "modified": "2023-09-20T13:14:57.819Z", "name": "Validate Program Inputs", "description": "Devices and programs designed to interact with control system parameters should validate the format and content of all user inputs and actions to ensure the values are within intended operational ranges. These values should be evaluated and further enforced through the program logic running on the field controller. If a problematic or invalid input is identified, the programs should either utilize a predetermined safe value or enter a known safe state, while also logging or alerting on the event.(Citation: PLCTop20 Mar 2023)", "labels": [ - "NIST SP 800-53 Rev. 4 - SI-10", "IEC 62443-3-3:2013 - SR 3.5", "IEC 62443-3-3:2013 - SR 3.6", "IEC 62443-4-2:2019 - CR 3.5", - "IEC 62443-4-2:2019 - CR 3.6" + "IEC 62443-4-2:2019 - CR 3.6", + "NIST SP 800-53 Rev. 5 - SI-10" ], "x_mitre_deprecated": false, "x_mitre_domains": [ diff --git a/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json b/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json index ab38dfc984..27fc2efbb4 100644 --- a/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json +++ b/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json @@ -1,47 +1,49 @@ { "type": "bundle", - "id": "bundle--eecccda2-5dcf-4ef2-b90c-f06b677e531c", + "id": "bundle--37fc0e1f-fcb7-4f5d-9b24-e2627bc28bc8", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:18.480Z", + "modified": "2023-09-19T21:50:12.354Z", "name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. (Citation: IEC February 2019) (Citation: IEC August 2013)", "labels": [ "IEC 62443-3-3:2013 - SR 5.1", "IEC 62443-4-2:2019 - CR 5.1", - "NIST SP 800-53 Rev. 4 - AC-3" + "NIST SP 800-53 Rev. 5 - AC-3" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "created": "2019-06-10T20:41:03.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0930", "external_id": "M0930" }, - { - "source_name": "IEC February 2019", - "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", - "url": "https://webstore.iec.ch/publication/34421" - }, { "source_name": "IEC August 2013", "description": "IEC 2013, August Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels Retrieved. 2020/09/25 ", "url": "https://webstore.iec.ch/publication/7033" + }, + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json b/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json index 2e3f8f4597..f9655557a9 100644 --- a/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json +++ b/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json @@ -1,16 +1,16 @@ { "type": "bundle", - "id": "bundle--8c774de0-ddbb-4fd0-ae0b-537a795797ce", + "id": "bundle--e3d4fbab-9b9c-452c-b33c-893039aecc56", "spec_version": "2.0", "objects": [ { - "modified": "2023-04-11T20:51:32.610Z", + "modified": "2023-09-20T13:10:52.949Z", "name": "Restrict Library Loading", "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", "labels": [ "IEC 62443-3-3:2013 - SR 7.7", "IEC 62443-4-2:2019 - CR 7.7", - "NIST SP 800-53 Rev. 4 - CM-7" + "NIST SP 800-53 Rev. 5 - CM-7" ], "x_mitre_deprecated": false, "x_mitre_domains": [ diff --git a/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json b/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json index 4bf191f892..9c57566dee 100644 --- a/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json +++ b/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9d378897-1661-4ec7-8c8e-9daab267b879", + "id": "bundle--3f2a7309-8e07-47dd-9bfa-533dafd1f8c9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json b/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json index 83ebd1fbc6..720df0f5ae 100644 --- a/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json +++ b/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--ca7991c9-520c-4a00-a9ee-1802130364f5", + "id": "bundle--31b2bec3-a3ca-442c-bd0b-031ee0488faf", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:18.665Z", + "modified": "2023-09-19T21:49:53.366Z", "name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries. In industrial control environments, network intrusion prevention should be configured so it will not disrupt protocols and communications responsible for real-time functions related to control or safety.", "labels": [ "IEC 62443-3-3:2013 - SR 6.2", "IEC 62443-4-2:2019 - CR 6.2", - "NIST SP 800-53 Rev. 4 - SI-4" + "NIST SP 800-53 Rev. 5 - SI-4" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "created": "2019-06-10T20:46:02.263Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json b/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json index 5e973e5743..8523309b33 100644 --- a/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json +++ b/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--c4734fa7-3498-4f51-b03a-77b627ce541d", + "id": "bundle--664a6446-9295-418e-8c9f-4d8075f634c1", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:17.759Z", + "modified": "2023-09-20T13:11:12.773Z", "name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "labels": [ "IEC 62443-3-3:2013 - SR 2.1", "IEC 62443-4-2:2019 - CR 2.1", - "NIST SP 800-53 Rev. 4 - AC-6" + "NIST SP 800-53 Rev. 5 - AC-6" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3", "created": "2019-06-06T20:58:59.577Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json b/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json index ee8e5efbd9..fcc665c58e 100644 --- a/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json +++ b/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0cd9a815-58b5-4fd3-8638-63722e21ee6a", + "id": "bundle--3acb4e28-ed44-4f4d-96f0-0832291f9e25", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json b/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json index af0b960cbb..c14796c5b6 100644 --- a/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json +++ b/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json @@ -1,47 +1,49 @@ { "type": "bundle", - "id": "bundle--b1783e8d-5969-4cb0-b721-bbae9236d5a4", + "id": "bundle--14457271-d6a1-4ed2-8c17-9eae6970b472", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:14.081Z", + "modified": "2023-09-19T21:30:56.250Z", "name": "Access Management", "description": "Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provided sufficient capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. (Citation: Centre for the Protection of National Infrastructure November 2010)", "labels": [ "IEC 62443-3-3:2013 - SR 2.1", "IEC 62443-4-2:2019 - CR 2.1", - "NIST SP 800-53 Rev. 4 - AC-3" + "NIST SP 800-53 Rev. 5 - AC-3" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0801", "external_id": "M0801" }, - { - "source_name": "McCarthy, J et al. July 2018", - "description": "McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ", - "url": "https://doi.org/10.6028/NIST.SP.1800-2" - }, { "source_name": "Centre for the Protection of National Infrastructure November 2010", "description": "Centre for the Protection of National Infrastructure 2010, November Configuring and Managing Remote Access for Industrial Control Systems Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/RP_Managing_Remote_Access_S508NC.pdf" + }, + { + "source_name": "McCarthy, J et al. July 2018", + "description": "McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ", + "url": "https://doi.org/10.6028/NIST.SP.1800-2" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json b/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json index e3188a870f..8825dd3453 100644 --- a/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json +++ b/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--65d01bdf-a4c6-4920-9bc0-71997300128e", + "id": "bundle--ee2575c5-5ae3-4701-812c-4829db325d32", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json b/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json index 68c577b213..6d9da32276 100644 --- a/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json +++ b/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--91c8b241-8b61-4275-8427-0e1ebf3a0867", + "id": "bundle--cde70f1f-0278-47b5-9560-b2b8ff76079b", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:21.352Z", + "modified": "2023-09-19T21:44:04.416Z", "name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "labels": [ "IEC 62443-3-3:2013 - SR 3.2", "IEC 62443-4-2:2019 - CR 3.2", - "NIST SP 800-53 Rev. 4 - SI-16" + "NIST SP 800-53 Rev. 5 - SI-16" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", "created": "2019-06-11T17:10:57.070Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json b/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json index 82e2931505..fd4bebb644 100644 --- a/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json +++ b/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--74768b6e-3678-471a-89ed-61c619b9ca86", + "id": "bundle--80d3a78d-b5e2-4934-b779-0a74c9278709", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:19.179Z", + "modified": "2023-09-19T21:48:00.950Z", "name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "labels": [ "IEC 62443-3-3:2013 - SR 5.1", "IEC 62443-4-2:2019 - CR 5.1", - "NIST SP 800-53 Rev. 4 - AC-3; SC-7" + "NIST SP 800-53 Rev. 5 - AC-3; SC-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110", "created": "2019-06-11T16:30:16.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json b/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json index 41ee94171f..6595950e7d 100644 --- a/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json +++ b/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--575b2c0e-9b64-48b1-b078-2f1076c8c802", + "id": "bundle--e780db74-d767-45a0-8051-62b0281eac4c", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:19.774Z", + "modified": "2023-09-19T21:43:44.551Z", "name": "Execution Prevention", "description": "Block execution of code on a system through application control, and/or script blocking.", "labels": [ "IEC 62443-3-3:2013 - SR 3.2", "IEC 62443-4-2:2019 - CR 3.2", - "NIST SP 800-53 Rev. 4 - SI-3" + "NIST SP 800-53 Rev. 5 - SI-3" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "created": "2019-06-11T16:35:25.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json b/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json index 532ef5e83a..028dd080e8 100644 --- a/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json +++ b/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json @@ -1,16 +1,16 @@ { "type": "bundle", - "id": "bundle--c5e6021a-9dfa-41ba-90d9-e6a83a95a6ab", + "id": "bundle--b6ed745d-5bbe-4d53-abb1-1f333f576c44", "spec_version": "2.0", "objects": [ { - "modified": "2023-04-05T14:21:27.977Z", + "modified": "2023-09-20T13:12:51.139Z", "name": "Static Network Configuration", "description": "Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.", "labels": [ "IEC 62443-3-3:2013 - SR 7.7", "IEC 62443-4-2:2019 - CR 7.7", - "NIST SP 800-53 Rev. 4 - CM-7" + "NIST SP 800-53 Rev. 5 - CM-7" ], "x_mitre_deprecated": false, "x_mitre_domains": [ diff --git a/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json b/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json index 58df662724..789cf04b98 100644 --- a/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json +++ b/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--c6b65eaf-ca3d-4525-8bac-260ec428bbcd", + "id": "bundle--5df14d29-7376-4ed4-91fc-c28e6fd08152", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:18.097Z", + "modified": "2023-09-19T21:51:14.526Z", "name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "labels": [ "IEC 62443-3-3:2013 - SR 1.5", "IEC 62443-4-2:2019 - CR 1.5", - "NIST SP 800-53 Rev. 4 - IA-5" + "NIST SP 800-53 Rev. 5 - IA-5" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", "created": "2019-06-06T21:10:35.792Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json b/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json index ad848a8775..c7cd62fb51 100644 --- a/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json +++ b/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--dea95d96-2784-4d32-a264-340694612d94", + "id": "bundle--5ce15c6f-b510-44e3-818e-840e078c8943", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:17.929Z", + "modified": "2023-09-19T21:51:40.366Z", "name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "labels": [ "IEC 62443-3-3:2013 - SR 1.3", "IEC 62443-4-2:2019 - CR 1.3", - "NIST SP 800-53 Rev. 4 - AC-2" + "NIST SP 800-53 Rev. 5 - AC-2" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", "created": "2019-06-06T21:09:47.115Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json b/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json index b3dae18115..6a08c14233 100644 --- a/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json +++ b/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json @@ -1,24 +1,22 @@ { "type": "bundle", - "id": "bundle--558ef376-11d2-44a8-bc44-25b7de338151", + "id": "bundle--418feee6-f732-4d08-ae86-efcbccf28949", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:14.615Z", + "modified": "2023-10-20T17:02:00.299Z", "name": "Human User Authentication", "description": "Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including [Multi-factor Authentication](https://attack.mitre.org/mitigations/M0932), [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), [User Account Management](https://attack.mitre.org/mitigations/M0918), [Privileged Account Management](https://attack.mitre.org/mitigations/M0926), and [User Account Control](https://attack.mitre.org/mitigations/M1052).", "labels": [ "IEC 62443-3-3:2013 - SR 1.1", "IEC 62443-4-2:2019 - CR 1.1", - "NIST SP 800-53 Rev. 4 - IA-2" + "NIST SP 800-53 Rev. 5 - IA-2" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_version": "1.1", "type": "course-of-action", "id": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "created": "2020-09-11T16:32:21.854Z", @@ -33,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json b/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json index 605903e3ca..b4c4c45dc4 100644 --- a/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json +++ b/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--423f8cc1-f265-4d8c-8b8d-06adc54ec0db", + "id": "bundle--f5141d40-809e-42e3-892c-4ae644ca082f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json b/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json index 19bf72917d..446793afdf 100644 --- a/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json +++ b/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--521f4a70-6d12-4f55-b045-1eb1d77ebef5", + "id": "bundle--da143114-99c7-4379-92f5-f0d9dd955384", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:20.464Z", + "modified": "2023-09-19T21:39:41.056Z", "name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "labels": [ "IEC 62443-3-3:2013 - SR 3.4", "IEC 62443-4-2:2019 - CR 3.4", - "NIST SP 800-53 Rev. 4 - SI-7" + "NIST SP 800-53 Rev. 5 - SI-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "created": "2019-06-11T17:01:25.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json b/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json index e833db9153..4aa7ccfaf3 100644 --- a/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json +++ b/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--b3474fd4-e373-4351-a448-d8e9c758687e", + "id": "bundle--1ba2a77e-56f4-4bf5-9e4a-74e09fda8bcc", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:15.949Z", + "modified": "2023-09-20T13:12:24.527Z", "name": "Software Process and Device Authentication", "description": "Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.", "labels": [ "IEC 62443-3-3:2013 - SR 1.2", "IEC 62443-4-2:2019 - CR 1.2", - "NIST SP 800-53 Rev. 4 - IA-9" + "NIST SP 800-53 Rev. 5 - IA-9" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json b/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json index 24fbb18dcc..fc9771bbff 100644 --- a/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json +++ b/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--f24f6754-c9f1-42fd-9be1-624865b5cf8d", + "id": "bundle--72d46cca-d3d2-4f47-93b0-10bdf182a09c", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:15.230Z", + "modified": "2023-09-19T21:42:52.198Z", "name": "Encrypt Network Traffic", "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.", "labels": [ "IEC 62443-3-3:2013 - SR 4.1", "IEC 62443-4-2:2019 - CR 4.1", - "NIST SP 800-53 Rev. 4 - SC-8" + "NIST SP 800-53 Rev. 5 - SC-8" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json b/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json index 36721a5a81..f4130b2e38 100644 --- a/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json +++ b/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--4371515d-8be0-4d95-8aef-072372b58713", + "id": "bundle--459627ef-e431-4928-83e1-389f9e6b1a2e", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:19.383Z", + "modified": "2023-09-19T21:31:48.809Z", "name": "Account Use Policies", "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", "labels": [ "IEC 62443-3-3:2013 - SR 1.11", "IEC 62443-4-2:2019 - CR 1.11", - "NIST SP 800-53 Rev. 4 - IA-5" + "NIST SP 800-53 Rev. 5 - IA-5" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", "created": "2019-06-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json b/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json index 10bd6dee5f..ae9d878b1a 100644 --- a/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json +++ b/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json @@ -1,25 +1,26 @@ { "type": "bundle", - "id": "bundle--8847406c-8ec3-4aa1-bf83-5fc90c364d58", + "id": "bundle--88c01dac-1576-471e-a711-7fc8badefb8c", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:16.730Z", + "modified": "2023-09-19T21:32:48.390Z", "name": "Application Developer Guidance", "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", "labels": [ + "NIST SP 800-53 Rev. 4 - AT-3", "NIST SP 800-53 Rev. 4 - AT-3" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7", "created": "2017-10-25T14:48:53.732Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -29,7 +30,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json b/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json index c0979deaa0..e41043bff0 100644 --- a/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json +++ b/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json @@ -1,26 +1,26 @@ { "type": "bundle", - "id": "bundle--e3ee4de6-70d8-4eeb-80b9-cfebf9b15cb7", + "id": "bundle--c80244f4-5a27-4ff7-bf66-80144b564077", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:20.632Z", + "modified": "2023-09-19T21:38:22.681Z", "name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "labels": [ "IEC 62443-4-2:2019 - CR 3.14", - "NIST SP 800-53 Rev. 4 - SI-7" + "NIST SP 800-53 Rev. 5 - SI-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", "created": "2019-06-11T17:02:36.984Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -30,7 +30,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json b/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json index b664f07cae..3987ae2229 100644 --- a/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json +++ b/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9e0519f0-c0c5-462a-b73f-917455691305", + "id": "bundle--0f03a762-7597-4098-8ff0-49c3e4d88411", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json b/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json index ef95cb7b9a..2d4f2452a3 100644 --- a/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json +++ b/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json @@ -1,26 +1,26 @@ { "type": "bundle", - "id": "bundle--664848cc-22b1-4e92-828c-b034c76fc8e0", + "id": "bundle--4b45838e-fc0d-421d-abdb-81706924cbe5", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:21.512Z", + "modified": "2023-09-20T13:13:41.305Z", "name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk. Software updates may need to be scheduled around operational down times.", "labels": [ "IEC 62443-4-2:2019 - CR 3.10", - "NIST SP 800-53 Rev. 4 - SI-2" + "NIST SP 800-53 Rev. 5 - SI-2" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "created": "2019-06-11T17:12:55.207Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -30,7 +30,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json b/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json index 3804e84675..9499f48d09 100644 --- a/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json +++ b/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--124421fc-5995-4b53-bd6e-8c923d60fdbf", + "id": "bundle--3250ef16-977c-4556-baba-3f4affdb3019", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json b/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json index 92df540a8b..a35182e1a1 100644 --- a/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json +++ b/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f77182c6-4292-43a3-9f51-4ca845af459f", + "id": "bundle--58c2cb87-7013-4351-8a7a-88b5e5ad27dc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json b/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json index 783baed8bd..a800798b9a 100644 --- a/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json +++ b/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--36b87193-0107-4b2f-bed8-a7f1fbada820", + "id": "bundle--8ef814c3-8804-46aa-8fbc-91414c70ddf5", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:18.276Z", + "modified": "2023-09-19T21:50:30.709Z", "name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "labels": [ "IEC 62443-3-3:2013 - SR 7.7", "IEC 62443-4-2:2019 - CR 7.7", - "NIST SP 800-53 Rev. 4 - CM-7" + "NIST SP 800-53 Rev. 5 - CM-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json b/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json index 4094dc3643..f8db6810ee 100644 --- a/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json +++ b/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--b630160b-4bc4-4b30-9042-1f08f2ab78b1", + "id": "bundle--ba590ec0-093e-48af-bb68-aa1330e3f163", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:19.007Z", + "modified": "2023-09-19T21:48:22.980Z", "name": "Limit Hardware Installation", "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", "labels": [ "IEC 62443-3-3:2013 - SR 3.2", "IEC 62443-4-2:2019 - EDR 3.2", - "NIST SP 800-53 Rev. 4 - MP-7" + "NIST SP 800-53 Rev. 5 - MP-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0", "created": "2019-06-11T16:28:41.809Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json b/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json index 447ed33cb4..4a5bef7b69 100644 --- a/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json +++ b/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--da12d452-4be1-4122-a01b-90d18f8c432a", + "id": "bundle--e961772c-83ce-4664-a549-cbf766510578", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:19.946Z", + "modified": "2023-09-19T21:43:17.085Z", "name": "Encrypt Sensitive Information", "description": "Protect sensitive data-at-rest with strong encryption.", "labels": [ "IEC 62443-3-3:2013 - SR 4.1", "IEC 62443-4-2:2019 - CR 4.1", - "NIST SP 800-53 Rev. 4 - SC-28" + "NIST SP 800-53 Rev. 5 - SC-28" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "created": "2019-06-11T16:43:44.834Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json b/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json index 74f03cc0ea..12b7ef0a49 100644 --- a/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json +++ b/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json @@ -1,22 +1,20 @@ { "type": "bundle", - "id": "bundle--8259b2ea-d3e3-49b9-aeeb-48c0d29363ee", + "id": "bundle--10daf1ad-6ede-4ee6-b22a-50ff4988aaa8", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:14.969Z", + "modified": "2023-09-19T21:49:34.958Z", "name": "Network Allowlists", "description": "Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", "labels": [ - "NIST SP 800-53 Rev. 4 - AC-3" + "NIST SP 800-53 Rev. 5 - AC-3" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", "type": "course-of-action", "id": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "created": "2019-06-10T20:53:36.319Z", @@ -31,7 +29,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json b/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json index c1de63f205..d286031aa8 100644 --- a/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json +++ b/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json @@ -1,25 +1,26 @@ { "type": "bundle", - "id": "bundle--b14b6620-dfc6-483a-958b-16193b4bbf75", + "id": "bundle--55c7e527-9853-47ac-8bbd-81f8b060038e", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:16.556Z", + "modified": "2023-09-20T13:13:12.169Z", "name": "Supply Chain Management", "description": "Implement a supply chain management program, including policies and procedures to ensure all devices and components originate from a trusted supplier and are tested to verify their integrity.", "labels": [ - "NIST SP 800-53 Rev. 4 - SA-12" + "NIST SP 800-53 Rev. 4 - SA-12", + "NIST SP 800-53 Rev. 5 - SR-1" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c", "created": "2021-04-12T17:00:21.233Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -29,7 +30,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json b/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json index 693a34708a..857e0caf10 100644 --- a/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json +++ b/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--66caee74-ec63-4f09-b5a1-f41865a4da87", + "id": "bundle--f8818a55-b15e-4146-b262-d7d1ebbe9586", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:21.679Z", + "modified": "2023-09-19T21:41:39.667Z", "name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of 'gold-copy' back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.", "labels": [ "IEC 62443-3-3:2013 - SR 7.3", "IEC 62443-4-2:2019 - CR 7.3", - "NIST SP 800-53 Rev. 4 - CP-9" + "NIST SP 800-53 Rev. 5 - CP-9" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "created": "2019-07-19T14:33:33.543Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -36,7 +36,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json b/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json index 494a3d03e2..e3aeb56279 100644 --- a/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json +++ b/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json @@ -1,45 +1,47 @@ { "type": "bundle", - "id": "bundle--548eef48-3610-4b06-ac17-63c5683f530b", + "id": "bundle--5cd7944b-d93f-4437-85cf-e6853ba82082", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:15.598Z", + "modified": "2023-09-19T21:50:55.129Z", "name": "Out-of-Band Communications Channel", "description": "Have alternative methods to support communication requirements during communication failures and data integrity attacks. (Citation: National Institute of Standards and Technology April 2013) (Citation: Defense Advanced Research Projects Agency)", "labels": [ - "NIST SP 800-53 Rev. 4 - SC-37" + "NIST SP 800-53 Rev. 5 - SC-37" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0810", "external_id": "M0810" }, - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - }, { "source_name": "Defense Advanced Research Projects Agency", "description": "Defense Advanced Research Projects Agency National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 Rapid Attack Detection, Isolation and Characterization Systems (RADICS) Retrieved. 2020/09/17 ", "url": "https://www.darpa.mil/program/rapid-attack-detection-isolation-and-characterization-systems" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json b/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json index 15ee6a3848..42aa769a74 100644 --- a/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json +++ b/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json @@ -1,27 +1,28 @@ { "type": "bundle", - "id": "bundle--1aa81b4e-05c4-4393-a6e1-be42a692b130", + "id": "bundle--e3f9a4c2-93b2-4d8d-9980-c6db9094a21f", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:20.836Z", + "modified": "2023-09-19T21:34:08.571Z", "name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.", "labels": [ "IEC 62443-3-3:2013 - SR 3.4", "IEC 62443-4-2:2019 - CR 3.4", - "NIST SP 800-53 Rev. 4 - SI-7" + "NIST SP 800-53 Rev. 4 - SI-7", + "NIST SP 800-53 Rev. 5 - SI-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "created": "2019-06-11T17:06:14.029Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +32,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json b/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json index 418968e017..83392723fa 100644 --- a/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json +++ b/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--a010090d-3f16-4f7e-814c-da8599564967", + "id": "bundle--2acb711f-4058-4e1c-987e-5249eee3d0e6", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:14.263Z", + "modified": "2023-09-19T21:40:49.135Z", "name": "Communication Authenticity", "description": "When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.", "labels": [ "IEC 62443-3-3:2013 - SR 3.1", "IEC 62443-4-2:2019 - CR 3.1", - "NIST SP 800-53 Rev. 4 - SC-8; SC-23" + "NIST SP 800-53 Rev. 5 - SC-8; SC-23" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json b/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json index a21cf86485..f04d657fe4 100644 --- a/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json +++ b/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--2a395ddb-6316-4269-8e7b-86a989bb06ea", + "id": "bundle--674fab5b-890a-495f-b114-05a1dbde0a78", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:20.110Z", + "modified": "2023-09-19T21:42:11.231Z", "name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "labels": [ "IEC 62443-3-3:2013 - SR 7.7", "IEC 62443-4-2:2019 - CR 7.7", - "NIST SP 800-53 Rev. 4 - CM-7" + "NIST SP 800-53 Rev. 5 - CM-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "created": "2019-06-11T16:45:19.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json b/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json index 9c9b3d8694..0dc55c6251 100644 --- a/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json +++ b/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--de2cca52-6639-4689-9924-c1174355051d", + "id": "bundle--a59bc492-9787-4987-95ad-59df873f8860", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json b/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json index 640f9f2a01..b619fe3810 100644 --- a/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json +++ b/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--83d6b557-b464-41b1-b601-015f93865f8e", + "id": "bundle--82b1e029-1bae-4863-b4fd-1a336b5a7b34", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json b/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json index 86d7d845e5..bd9a969f1a 100644 --- a/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json +++ b/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json @@ -1,25 +1,25 @@ { "type": "bundle", - "id": "bundle--19b957d9-c2df-4708-8b0e-fd08381f3d1e", + "id": "bundle--664ceaaf-6b25-4ebf-af9d-572b905d4594", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:17.076Z", + "modified": "2023-09-20T13:14:30.311Z", "name": "User Training", "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "labels": [ - "NIST SP 800-53 Rev. 4 - AT-2" + "NIST SP 800-53 Rev. 5 - AT-2" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", "created": "2019-06-06T16:50:04.963Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -29,7 +29,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json b/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json index bc9d366200..1f27f8d04d 100644 --- a/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json +++ b/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--4ee2a656-2cb5-4763-8ef6-ebe69fa79e4d", + "id": "bundle--ec2e80aa-a8fc-41cd-93bc-ae44540ab880", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:18.842Z", + "modified": "2023-09-19T21:49:12.466Z", "name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. Within industrial control environments assets such as low-level controllers, workstations, and HMIs have real-time operational control and safety requirements which may restrict the use of multi-factor.", "labels": [ "IEC 62443-3-3:2013 - SR 1.7", "IEC 62443-4-2:2019 - CR 1.7", - "NIST SP 800-53 Rev. 4 - IA-2" + "NIST SP 800-53 Rev. 5 - IA-2" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", "created": "2019-06-10T20:53:36.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json b/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json index 8b58407ec7..abe4301ce1 100644 --- a/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json +++ b/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json @@ -1,25 +1,25 @@ { "type": "bundle", - "id": "bundle--ee2a4de7-7066-4ffc-bd59-86ddce8acd2c", + "id": "bundle--b6d665a9-7cea-4ab0-941d-1d8c11988ff3", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:16.897Z", + "modified": "2023-09-20T13:15:23.350Z", "name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "labels": [ - "NIST SP 800-53 Rev. 4 - RA-5" + "NIST SP 800-53 Rev. 5 - RA-5" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", "created": "2019-06-06T16:47:30.700Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -29,7 +29,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json b/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json index 0dce9d0b04..913352a1b3 100644 --- a/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json +++ b/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json @@ -1,47 +1,49 @@ { "type": "bundle", - "id": "bundle--48ba8f57-622d-4d71-80c8-8fd3f8e7707a", + "id": "bundle--8aab6e16-1bb7-4662-9131-0fe6f3232040", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:13.851Z", + "modified": "2023-10-20T17:01:38.562Z", "name": "Authorization Enforcement", "description": "The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector (Citation: International Electrotechnical Commission July 2020), while IEEE 1686 defines standard permissions for users of IEDs. (Citation: Institute of Electrical and Electronics Engineers January 2014)", "labels": [ "IEC 62443-3-3:2013 - SR 2.1", "IEC 62443-4-2:2019 - CR 2.1", - "NIST SP 800-53 Rev. 4 - AC-3" + "NIST SP 800-53 Rev. 5 - AC-3" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "1.1", "type": "course-of-action", "id": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0800", "external_id": "M0800" }, - { - "source_name": "International Electrotechnical Commission July 2020", - "description": "International Electrotechnical Commission 2020, July 17 IEC 62351 - Power systems management and associated information exchange - Data and communications security Retrieved. 2020/09/17 ", - "url": "https://webstore.iec.ch/publication/6912" - }, { "source_name": "Institute of Electrical and Electronics Engineers January 2014", "description": "Institute of Electrical and Electronics Engineers 2014, January 1686-2013 - IEEE Standard for Intelligent Electronic Devices Cyber Security Capabilities Retrieved. 2020/09/17 ", "url": "https://standards.ieee.org/standard/1686-2013.html" + }, + { + "source_name": "International Electrotechnical Commission July 2020", + "description": "International Electrotechnical Commission 2020, July 17 IEC 62351 - Power systems management and associated information exchange - Data and communications security Retrieved. 2020/09/17 ", + "url": "https://webstore.iec.ch/publication/6912" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json b/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json index e05cd0ba7c..97291060cb 100644 --- a/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json +++ b/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--8e73ddb0-1317-4f97-8823-698dd3d2460e", + "id": "bundle--868c2e2e-50a8-44e7-a697-24fc3e0129aa", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:17.252Z", + "modified": "2023-09-20T13:14:10.061Z", "name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "labels": [ "IEC 62443-3-3:2013 - SR 1.3", "IEC 62443-4-2:2019 - CR 1.3", - "NIST SP 800-53 Rev. 4 - AC-2" + "NIST SP 800-53 Rev. 5 - AC-2" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "created": "2019-06-06T16:50:58.767Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json b/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json index c2f9c0a7c4..e5ff9a90b2 100644 --- a/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json +++ b/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json @@ -1,25 +1,25 @@ { "type": "bundle", - "id": "bundle--4581dc04-f963-4f04-9364-a3003f174db9", + "id": "bundle--f7e6d1ea-2838-442c-9d7a-83e7d47e1487", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:15.773Z", + "modified": "2023-09-19T21:52:11.728Z", "name": "Redundancy of Service", "description": "Redundancy could be provided for both critical ICS devices and services, such as back-up devices or hot-standbys.", "labels": [ - "NIST SP 800-53 Rev. 4 - CP-9" + "NIST SP 800-53 Rev. 5 - CP-9" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -29,7 +29,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json b/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json index 53f8eba03b..3dfbb9978e 100644 --- a/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json +++ b/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--9b89d1cd-d9f8-4169-a5b2-c684d5a433ba", + "id": "bundle--d548484a-6a26-41b5-a5fe-06810806e814", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:17.592Z", + "modified": "2023-09-20T13:10:12.604Z", "name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "labels": [ "IEC 62443-3-3:2013 - SR 2.1", "IEC 62443-4-2:2019 - CR 2.1", - "NIST SP 800-53 Rev. 4 - AC-6" + "NIST SP 800-53 Rev. 5 - AC-6" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "created": "2019-06-06T20:54:49.964Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json b/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json index 6caff73344..114f5dec95 100644 --- a/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json +++ b/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--5d32b2c5-c88e-410e-99fe-a19cd2fa461a", + "id": "bundle--5a49b4d8-9213-49f4-b954-ed0bf96ff345", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:21.915Z", + "modified": "2023-09-20T13:12:04.727Z", "name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated with how the software operates.", "labels": [ "IEC 62443-3-3:2013 - SR 7.7", "IEC 62443-4-2:2019 - CR 7.7", - "NIST SP 800-53 Rev. 4 - CM-7" + "NIST SP 800-53 Rev. 5 - CM-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21", "created": "2019-07-19T14:40:23.529Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -31,7 +31,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json b/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json index 7210742253..5f16c24dc6 100644 --- a/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json +++ b/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json @@ -1,27 +1,28 @@ { "type": "bundle", - "id": "bundle--ccddb982-78c0-417c-9cde-756e510379b4", + "id": "bundle--2ffac662-c5ba-4c75-a040-679852408f77", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:21.180Z", + "modified": "2023-09-19T21:32:18.375Z", "name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems. (Citation: NCCIC August 2018)", "labels": [ "IEC 62443-3-3:2013 - SR 3.2", "IEC 62443-4-2:2019 - CR 3.2", - "NIST SP 800-53 Rev. 4 - SI-3" + "NIST SP 800-53 Rev. 4 - SI-3", + "NIST SP 800-53 Rev. 5 - SI-3" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", "created": "2019-06-11T17:08:33.055Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -36,7 +37,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json b/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json index 4dd376c384..8b168f6417 100644 --- a/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json +++ b/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json @@ -1,27 +1,27 @@ { "type": "bundle", - "id": "bundle--1d8249d6-39b2-4406-85c2-44dfc68734f1", + "id": "bundle--269a2cd8-7c52-4d1b-bf9f-11aa1a78d488", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-30T20:55:14.800Z", + "modified": "2023-09-19T21:48:44.925Z", "name": "Minimize Wireless Signal Propagation", "description": "Wireless signals frequently propagate outside of organizational boundaries, which provide opportunities for adversaries to monitor or gain unauthorized access to the wireless network. (Citation: CISA March 2010) To minimize this threat, organizations should implement measures to detect, understand, and reduce unnecessary RF propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)", "labels": [ "IEC 62443-3-3:2013 - SR 1.6", "IEC 62443-4-2:2019 - CR 1.6", - "NIST SP 800-53 Rev. 4 - SC-40" + "NIST SP 800-53 Rev. 5 - SC-40" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -41,7 +41,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/ics-attack.json b/ics-attack/ics-attack.json index 828e5324d9..0998386cf9 100644 --- a/ics-attack/ics-attack.json +++ b/ics-attack/ics-attack.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0f187f2a-a62a-4d35-95db-158a5c0d3ec3", + "id": "bundle--44ee0685-40ff-488c-917b-da33eb7d5442", "objects": [ { "tactic_refs": [ @@ -42,24 +42,24 @@ "x_mitre_version": "1.0" }, { - "modified": "2023-03-30T20:55:21.006Z", + "modified": "2023-09-19T21:33:26.200Z", "name": "Application Isolation and Sandboxing", "description": "Restrict the execution of code to a virtual environment on or in-transit to an endpoint system.", "labels": [ "IEC 62443-3-3:2013 - SR 5.4", "IEC 62443-4-2:2019 - CR 5.4", - "NIST SP 800-53 Rev. 4 - SI-3" + "NIST SP 800-53 Rev. 5 - SI-3" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", "created": "2019-06-11T17:06:56.230Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -69,27 +69,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:19.604Z", + "modified": "2023-09-19T21:44:59.425Z", "name": "Filter Network Traffic", "description": "Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic. Perform inline allow/denylisting of network messages based on the application layer (OSI Layer 7) protocol, especially for automation protocols. Application allowlists are beneficial when there are well-defined communication sequences, types, rates, or patterns needed during expected system operations. Application denylists may be needed if all acceptable communication sequences cannot be defined, but instead a set of known malicious uses can be denied (e.g., excessive communication attempts, shutdown messages, invalid commands). Devices performing these functions are often referred to as deep-packet inspection (DPI) firewalls, context-aware firewalls, or firewalls blocking specific automation/SCADA protocol aware firewalls. (Citation: Centre for the Protection of National Infrastructure February 2005)", "labels": [ "IEC 62443-3-3:2013 - SR 5.1", "IEC 62443-4-2:2019 - CR 5.1", - "NIST SP 800-53 Rev. 4 - AC-3; SC-7" + "NIST SP 800-53 Rev. 5 - AC-3; SC-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "created": "2019-06-11T16:33:55.337Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -104,27 +106,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:17.426Z", + "modified": "2023-09-20T13:11:35.668Z", "name": "Restrict Web-Based Content", "description": "Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.", "labels": [ "IEC 62443-3-3:2013 - SR 2.4", "IEC 62443-4-2:2019 - HDR 2.4", - "NIST SP 800-53 Rev. 4 - SC-18" + "NIST SP 800-53 Rev. 5 - SC-18" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", "created": "2019-06-06T20:52:59.206Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -134,18 +138,20 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-31T19:16:54.636Z", + "modified": "2023-09-20T13:14:57.819Z", "name": "Validate Program Inputs", "description": "Devices and programs designed to interact with control system parameters should validate the format and content of all user inputs and actions to ensure the values are within intended operational ranges. These values should be evaluated and further enforced through the program logic running on the field controller. If a problematic or invalid input is identified, the programs should either utilize a predetermined safe value or enter a known safe state, while also logging or alerting on the event.(Citation: PLCTop20 Mar 2023)", "labels": [ - "NIST SP 800-53 Rev. 4 - SI-10", "IEC 62443-3-3:2013 - SR 3.5", "IEC 62443-3-3:2013 - SR 3.6", "IEC 62443-4-2:2019 - CR 3.5", - "IEC 62443-4-2:2019 - CR 3.6" + "IEC 62443-4-2:2019 - CR 3.6", + "NIST SP 800-53 Rev. 5 - SI-10" ], "x_mitre_deprecated": false, "x_mitre_domains": [ @@ -176,53 +182,55 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:18.480Z", + "modified": "2023-09-19T21:50:12.354Z", "name": "Network Segmentation", "description": "Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Restrict network access to only required systems and services. In addition, prevent systems from other networks or business functions (e.g., enterprise) from accessing critical process control systems. For example, in IEC 62443, systems within the same secure level should be grouped into a zone, and access to that zone is restricted by a conduit, or mechanism to restrict data flows between zones by segmenting the network. (Citation: IEC February 2019) (Citation: IEC August 2013)", "labels": [ "IEC 62443-3-3:2013 - SR 5.1", "IEC 62443-4-2:2019 - CR 5.1", - "NIST SP 800-53 Rev. 4 - AC-3" + "NIST SP 800-53 Rev. 5 - AC-3" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", "created": "2019-06-10T20:41:03.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0930", "external_id": "M0930" }, - { - "source_name": "IEC February 2019", - "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", - "url": "https://webstore.iec.ch/publication/34421" - }, { "source_name": "IEC August 2013", "description": "IEC 2013, August Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels Retrieved. 2020/09/25 ", "url": "https://webstore.iec.ch/publication/7033" + }, + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-04-11T20:51:32.610Z", + "modified": "2023-09-20T13:10:52.949Z", "name": "Restrict Library Loading", "description": "Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.", "labels": [ "IEC 62443-3-3:2013 - SR 7.7", "IEC 62443-4-2:2019 - CR 7.7", - "NIST SP 800-53 Rev. 4 - CM-7" + "NIST SP 800-53 Rev. 5 - CM-7" ], "x_mitre_deprecated": false, "x_mitre_domains": [ @@ -273,24 +281,24 @@ ] }, { - "modified": "2023-03-30T20:55:18.665Z", + "modified": "2023-09-19T21:49:53.366Z", "name": "Network Intrusion Prevention", "description": "Use intrusion detection signatures to block traffic at network boundaries. In industrial control environments, network intrusion prevention should be configured so it will not disrupt protocols and communications responsible for real-time functions related to control or safety.", "labels": [ "IEC 62443-3-3:2013 - SR 6.2", "IEC 62443-4-2:2019 - CR 6.2", - "NIST SP 800-53 Rev. 4 - SI-4" + "NIST SP 800-53 Rev. 5 - SI-4" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", "created": "2019-06-10T20:46:02.263Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -300,27 +308,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:17.759Z", + "modified": "2023-09-20T13:11:12.773Z", "name": "Restrict Registry Permissions", "description": "Restrict the ability to modify certain hives or keys in the Windows Registry.", "labels": [ "IEC 62443-3-3:2013 - SR 2.1", "IEC 62443-4-2:2019 - CR 2.1", - "NIST SP 800-53 Rev. 4 - AC-6" + "NIST SP 800-53 Rev. 5 - AC-6" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3", "created": "2019-06-06T20:58:59.577Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -330,7 +340,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-30T20:55:14.442Z", @@ -362,44 +374,46 @@ ] }, { - "modified": "2023-03-30T20:55:14.081Z", + "modified": "2023-09-19T21:30:56.250Z", "name": "Access Management", "description": "Access Management technologies can be used to enforce authorization polices and decisions, especially when existing field devices do not provided sufficient capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials. (Citation: Centre for the Protection of National Infrastructure November 2010)", "labels": [ "IEC 62443-3-3:2013 - SR 2.1", "IEC 62443-4-2:2019 - CR 2.1", - "NIST SP 800-53 Rev. 4 - AC-3" + "NIST SP 800-53 Rev. 5 - AC-3" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0801", "external_id": "M0801" }, - { - "source_name": "McCarthy, J et al. July 2018", - "description": "McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ", - "url": "https://doi.org/10.6028/NIST.SP.1800-2" - }, { "source_name": "Centre for the Protection of National Infrastructure November 2010", "description": "Centre for the Protection of National Infrastructure 2010, November Configuring and Managing Remote Access for Industrial Control Systems Retrieved. 2020/09/25 ", "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/RP_Managing_Remote_Access_S508NC.pdf" + }, + { + "source_name": "McCarthy, J et al. July 2018", + "description": "McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ", + "url": "https://doi.org/10.6028/NIST.SP.1800-2" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", @@ -427,24 +441,24 @@ ] }, { - "modified": "2023-03-30T20:55:21.352Z", + "modified": "2023-09-19T21:44:04.416Z", "name": "Exploit Protection", "description": "Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.", "labels": [ "IEC 62443-3-3:2013 - SR 3.2", "IEC 62443-4-2:2019 - CR 3.2", - "NIST SP 800-53 Rev. 4 - SI-16" + "NIST SP 800-53 Rev. 5 - SI-16" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", "created": "2019-06-11T17:10:57.070Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -454,27 +468,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:19.179Z", + "modified": "2023-09-19T21:48:00.950Z", "name": "Limit Access to Resource Over Network", "description": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.", "labels": [ "IEC 62443-3-3:2013 - SR 5.1", "IEC 62443-4-2:2019 - CR 5.1", - "NIST SP 800-53 Rev. 4 - AC-3; SC-7" + "NIST SP 800-53 Rev. 5 - AC-3; SC-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110", "created": "2019-06-11T16:30:16.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -484,27 +500,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:19.774Z", + "modified": "2023-09-19T21:43:44.551Z", "name": "Execution Prevention", "description": "Block execution of code on a system through application control, and/or script blocking.", "labels": [ "IEC 62443-3-3:2013 - SR 3.2", "IEC 62443-4-2:2019 - CR 3.2", - "NIST SP 800-53 Rev. 4 - SI-3" + "NIST SP 800-53 Rev. 5 - SI-3" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", "created": "2019-06-11T16:35:25.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -514,16 +532,18 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-04-05T14:21:27.977Z", + "modified": "2023-09-20T13:12:51.139Z", "name": "Static Network Configuration", "description": "Configure hosts and devices to use static network configurations when possible, protocols that require dynamic discovery/addressing (e.g., ARP, DHCP, DNS) can be used to manipulate network message forwarding and enable various AiTM attacks. This mitigation may not always be usable due to limited device features or challenges introduced with different network configurations.", "labels": [ "IEC 62443-3-3:2013 - SR 7.7", "IEC 62443-4-2:2019 - CR 7.7", - "NIST SP 800-53 Rev. 4 - CM-7" + "NIST SP 800-53 Rev. 5 - CM-7" ], "x_mitre_deprecated": false, "x_mitre_domains": [ @@ -549,24 +569,24 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:18.097Z", + "modified": "2023-09-19T21:51:14.526Z", "name": "Password Policies", "description": "Set and enforce secure password policies for accounts.", "labels": [ "IEC 62443-3-3:2013 - SR 1.5", "IEC 62443-4-2:2019 - CR 1.5", - "NIST SP 800-53 Rev. 4 - IA-5" + "NIST SP 800-53 Rev. 5 - IA-5" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", "created": "2019-06-06T21:10:35.792Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -576,27 +596,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:17.929Z", + "modified": "2023-09-19T21:51:40.366Z", "name": "Privileged Account Management", "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", "labels": [ "IEC 62443-3-3:2013 - SR 1.3", "IEC 62443-4-2:2019 - CR 1.3", - "NIST SP 800-53 Rev. 4 - AC-2" + "NIST SP 800-53 Rev. 5 - AC-2" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", "created": "2019-06-06T21:09:47.115Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -606,24 +628,24 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:14.615Z", + "modified": "2023-10-20T17:02:00.299Z", "name": "Human User Authentication", "description": "Require user authentication before allowing access to data or accepting commands to a device. While strong multi-factor authentication is preferable, it is not always feasible within ICS environments. Performing strong user authentication also requires additional security controls and processes which are often the target of related adversarial techniques (e.g., Valid Accounts, Default Credentials). Therefore, associated ATT&CK mitigations should be considered in addition to this, including [Multi-factor Authentication](https://attack.mitre.org/mitigations/M0932), [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), [User Account Management](https://attack.mitre.org/mitigations/M0918), [Privileged Account Management](https://attack.mitre.org/mitigations/M0926), and [User Account Control](https://attack.mitre.org/mitigations/M1052).", "labels": [ "IEC 62443-3-3:2013 - SR 1.1", "IEC 62443-4-2:2019 - CR 1.1", - "NIST SP 800-53 Rev. 4 - IA-2" + "NIST SP 800-53 Rev. 5 - IA-2" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_version": "1.1", "type": "course-of-action", "id": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "created": "2020-09-11T16:32:21.854Z", @@ -638,7 +660,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", @@ -666,24 +690,24 @@ ] }, { - "modified": "2023-03-30T20:55:20.464Z", + "modified": "2023-09-19T21:39:41.056Z", "name": "Code Signing", "description": "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.", "labels": [ "IEC 62443-3-3:2013 - SR 3.4", "IEC 62443-4-2:2019 - CR 3.4", - "NIST SP 800-53 Rev. 4 - SI-7" + "NIST SP 800-53 Rev. 5 - SI-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "created": "2019-06-11T17:01:25.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -693,27 +717,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:15.949Z", + "modified": "2023-09-20T13:12:24.527Z", "name": "Software Process and Device Authentication", "description": "Require the authentication of devices and software processes where appropriate. Devices that connect remotely to other systems should require strong authentication to prevent spoofing of communications. Furthermore, software processes should also require authentication when accessing APIs.", "labels": [ "IEC 62443-3-3:2013 - SR 1.2", "IEC 62443-4-2:2019 - CR 1.2", - "NIST SP 800-53 Rev. 4 - IA-9" + "NIST SP 800-53 Rev. 5 - IA-9" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -723,27 +749,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:15.230Z", + "modified": "2023-09-19T21:42:52.198Z", "name": "Encrypt Network Traffic", "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.", "labels": [ "IEC 62443-3-3:2013 - SR 4.1", "IEC 62443-4-2:2019 - CR 4.1", - "NIST SP 800-53 Rev. 4 - SC-8" + "NIST SP 800-53 Rev. 5 - SC-8" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -753,27 +781,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:19.383Z", + "modified": "2023-09-19T21:31:48.809Z", "name": "Account Use Policies", "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", "labels": [ "IEC 62443-3-3:2013 - SR 1.11", "IEC 62443-4-2:2019 - CR 1.11", - "NIST SP 800-53 Rev. 4 - IA-5" + "NIST SP 800-53 Rev. 5 - IA-5" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", "created": "2019-06-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -783,25 +813,28 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:16.730Z", + "modified": "2023-09-19T21:32:48.390Z", "name": "Application Developer Guidance", "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.", "labels": [ + "NIST SP 800-53 Rev. 4 - AT-3", "NIST SP 800-53 Rev. 4 - AT-3" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7", "created": "2017-10-25T14:48:53.732Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -811,26 +844,28 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:20.632Z", + "modified": "2023-09-19T21:38:22.681Z", "name": "Boot Integrity", "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", "labels": [ "IEC 62443-4-2:2019 - CR 3.14", - "NIST SP 800-53 Rev. 4 - SI-7" + "NIST SP 800-53 Rev. 5 - SI-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", "created": "2019-06-11T17:02:36.984Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -840,7 +875,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", @@ -873,23 +910,23 @@ ] }, { - "modified": "2023-03-30T20:55:21.512Z", + "modified": "2023-09-20T13:13:41.305Z", "name": "Update Software", "description": "Perform regular software updates to mitigate exploitation risk. Software updates may need to be scheduled around operational down times.", "labels": [ "IEC 62443-4-2:2019 - CR 3.10", - "NIST SP 800-53 Rev. 4 - SI-2" + "NIST SP 800-53 Rev. 5 - SI-2" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "created": "2019-06-11T17:12:55.207Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -899,7 +936,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-30T20:55:16.383Z", @@ -959,24 +998,24 @@ ] }, { - "modified": "2023-03-30T20:55:18.276Z", + "modified": "2023-09-19T21:50:30.709Z", "name": "Operating System Configuration", "description": "Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.", "labels": [ "IEC 62443-3-3:2013 - SR 7.7", "IEC 62443-4-2:2019 - CR 7.7", - "NIST SP 800-53 Rev. 4 - CM-7" + "NIST SP 800-53 Rev. 5 - CM-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -986,27 +1025,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:19.007Z", + "modified": "2023-09-19T21:48:22.980Z", "name": "Limit Hardware Installation", "description": "Block users or groups from installing or using unapproved hardware on systems, including USB devices.", "labels": [ "IEC 62443-3-3:2013 - SR 3.2", "IEC 62443-4-2:2019 - EDR 3.2", - "NIST SP 800-53 Rev. 4 - MP-7" + "NIST SP 800-53 Rev. 5 - MP-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0", "created": "2019-06-11T16:28:41.809Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -1016,27 +1057,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:19.946Z", + "modified": "2023-09-19T21:43:17.085Z", "name": "Encrypt Sensitive Information", "description": "Protect sensitive data-at-rest with strong encryption.", "labels": [ "IEC 62443-3-3:2013 - SR 4.1", "IEC 62443-4-2:2019 - CR 4.1", - "NIST SP 800-53 Rev. 4 - SC-28" + "NIST SP 800-53 Rev. 5 - SC-28" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", "created": "2019-06-11T16:43:44.834Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -1046,22 +1089,22 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:14.969Z", + "modified": "2023-09-19T21:49:34.958Z", "name": "Network Allowlists", "description": "Network allowlists can be implemented through either host-based files or system hosts files to specify what connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", "labels": [ - "NIST SP 800-53 Rev. 4 - AC-3" + "NIST SP 800-53 Rev. 5 - AC-3" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", "type": "course-of-action", "id": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "created": "2019-06-10T20:53:36.319Z", @@ -1076,25 +1119,28 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:16.556Z", + "modified": "2023-09-20T13:13:12.169Z", "name": "Supply Chain Management", "description": "Implement a supply chain management program, including policies and procedures to ensure all devices and components originate from a trusted supplier and are tested to verify their integrity.", "labels": [ - "NIST SP 800-53 Rev. 4 - SA-12" + "NIST SP 800-53 Rev. 4 - SA-12", + "NIST SP 800-53 Rev. 5 - SR-1" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c", "created": "2021-04-12T17:00:21.233Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -1104,27 +1150,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:21.679Z", + "modified": "2023-09-19T21:41:39.667Z", "name": "Data Backup", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of 'gold-copy' back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.", "labels": [ "IEC 62443-3-3:2013 - SR 7.3", "IEC 62443-4-2:2019 - CR 7.3", - "NIST SP 800-53 Rev. 4 - CP-9" + "NIST SP 800-53 Rev. 5 - CP-9" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", "created": "2019-07-19T14:33:33.543Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -1139,65 +1187,70 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:15.598Z", + "modified": "2023-09-19T21:50:55.129Z", "name": "Out-of-Band Communications Channel", "description": "Have alternative methods to support communication requirements during communication failures and data integrity attacks. (Citation: National Institute of Standards and Technology April 2013) (Citation: Defense Advanced Research Projects Agency)", "labels": [ - "NIST SP 800-53 Rev. 4 - SC-37" + "NIST SP 800-53 Rev. 5 - SC-37" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0810", "external_id": "M0810" }, - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - }, { "source_name": "Defense Advanced Research Projects Agency", "description": "Defense Advanced Research Projects Agency National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 Rapid Attack Detection, Isolation and Characterization Systems (RADICS) Retrieved. 2020/09/17 ", "url": "https://www.darpa.mil/program/rapid-attack-detection-isolation-and-characterization-systems" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:20.836Z", + "modified": "2023-09-19T21:34:08.571Z", "name": "Audit", "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.", "labels": [ "IEC 62443-3-3:2013 - SR 3.4", "IEC 62443-4-2:2019 - CR 3.4", - "NIST SP 800-53 Rev. 4 - SI-7" + "NIST SP 800-53 Rev. 4 - SI-7", + "NIST SP 800-53 Rev. 5 - SI-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "created": "2019-06-11T17:06:14.029Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -1207,27 +1260,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:14.263Z", + "modified": "2023-09-19T21:40:49.135Z", "name": "Communication Authenticity", "description": "When communicating over an untrusted network, utilize secure network protocols that both authenticate the message sender and can verify its integrity. This can be done either through message authentication codes (MACs) or digital signatures, to detect spoofed network messages and unauthorized connections.", "labels": [ "IEC 62443-3-3:2013 - SR 3.1", "IEC 62443-4-2:2019 - CR 3.1", - "NIST SP 800-53 Rev. 4 - SC-8; SC-23" + "NIST SP 800-53 Rev. 5 - SC-8; SC-23" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -1237,27 +1292,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:20.110Z", + "modified": "2023-09-19T21:42:11.231Z", "name": "Disable or Remove Feature or Program", "description": "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.", "labels": [ "IEC 62443-3-3:2013 - SR 7.7", "IEC 62443-4-2:2019 - CR 7.7", - "NIST SP 800-53 Rev. 4 - CM-7" + "NIST SP 800-53 Rev. 5 - CM-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", "created": "2019-06-11T16:45:19.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -1267,7 +1324,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2022-10-24T15:09:07.609Z", @@ -1325,22 +1384,22 @@ ] }, { - "modified": "2023-03-30T20:55:17.076Z", + "modified": "2023-09-20T13:14:30.311Z", "name": "User Training", "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "labels": [ - "NIST SP 800-53 Rev. 4 - AT-2" + "NIST SP 800-53 Rev. 5 - AT-2" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", "created": "2019-06-06T16:50:04.963Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -1350,27 +1409,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:18.842Z", + "modified": "2023-09-19T21:49:12.466Z", "name": "Multi-factor Authentication", "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. Within industrial control environments assets such as low-level controllers, workstations, and HMIs have real-time operational control and safety requirements which may restrict the use of multi-factor.", "labels": [ "IEC 62443-3-3:2013 - SR 1.7", "IEC 62443-4-2:2019 - CR 1.7", - "NIST SP 800-53 Rev. 4 - IA-2" + "NIST SP 800-53 Rev. 5 - IA-2" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", "created": "2019-06-10T20:53:36.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -1380,25 +1441,27 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:16.897Z", + "modified": "2023-09-20T13:15:23.350Z", "name": "Vulnerability Scanning", "description": "Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.", "labels": [ - "NIST SP 800-53 Rev. 4 - RA-5" + "NIST SP 800-53 Rev. 5 - RA-5" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", "created": "2019-06-06T16:47:30.700Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -1408,67 +1471,71 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:13.851Z", + "modified": "2023-10-20T17:01:38.562Z", "name": "Authorization Enforcement", "description": "The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector (Citation: International Electrotechnical Commission July 2020), while IEEE 1686 defines standard permissions for users of IEDs. (Citation: Institute of Electrical and Electronics Engineers January 2014)", "labels": [ "IEC 62443-3-3:2013 - SR 2.1", "IEC 62443-4-2:2019 - CR 2.1", - "NIST SP 800-53 Rev. 4 - AC-3" + "NIST SP 800-53 Rev. 5 - AC-3" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "1.1", "type": "course-of-action", "id": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M0800", "external_id": "M0800" }, - { - "source_name": "International Electrotechnical Commission July 2020", - "description": "International Electrotechnical Commission 2020, July 17 IEC 62351 - Power systems management and associated information exchange - Data and communications security Retrieved. 2020/09/17 ", - "url": "https://webstore.iec.ch/publication/6912" - }, { "source_name": "Institute of Electrical and Electronics Engineers January 2014", "description": "Institute of Electrical and Electronics Engineers 2014, January 1686-2013 - IEEE Standard for Intelligent Electronic Devices Cyber Security Capabilities Retrieved. 2020/09/17 ", "url": "https://standards.ieee.org/standard/1686-2013.html" + }, + { + "source_name": "International Electrotechnical Commission July 2020", + "description": "International Electrotechnical Commission 2020, July 17 IEC 62351 - Power systems management and associated information exchange - Data and communications security Retrieved. 2020/09/17 ", + "url": "https://webstore.iec.ch/publication/6912" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:17.252Z", + "modified": "2023-09-20T13:14:10.061Z", "name": "User Account Management", "description": "Manage the creation, modification, use, and permissions associated to user accounts.", "labels": [ "IEC 62443-3-3:2013 - SR 1.3", "IEC 62443-4-2:2019 - CR 1.3", - "NIST SP 800-53 Rev. 4 - AC-2" + "NIST SP 800-53 Rev. 5 - AC-2" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "created": "2019-06-06T16:50:58.767Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -1478,25 +1545,27 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:15.773Z", + "modified": "2023-09-19T21:52:11.728Z", "name": "Redundancy of Service", "description": "Redundancy could be provided for both critical ICS devices and services, such as back-up devices or hot-standbys.", "labels": [ - "NIST SP 800-53 Rev. 4 - CP-9" + "NIST SP 800-53 Rev. 5 - CP-9" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", "created": "2019-06-06T21:16:18.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -1506,27 +1575,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:17.592Z", + "modified": "2023-09-20T13:10:12.604Z", "name": "Restrict File and Directory Permissions", "description": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "labels": [ "IEC 62443-3-3:2013 - SR 2.1", "IEC 62443-4-2:2019 - CR 2.1", - "NIST SP 800-53 Rev. 4 - AC-6" + "NIST SP 800-53 Rev. 5 - AC-6" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", "created": "2019-06-06T20:54:49.964Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -1536,27 +1607,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:21.915Z", + "modified": "2023-09-20T13:12:04.727Z", "name": "Software Configuration", "description": "Implement configuration changes to software (other than the operating system) to mitigate security risks associated with how the software operates.", "labels": [ "IEC 62443-3-3:2013 - SR 7.7", "IEC 62443-4-2:2019 - CR 7.7", - "NIST SP 800-53 Rev. 4 - CM-7" + "NIST SP 800-53 Rev. 5 - CM-7" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21", "created": "2019-07-19T14:40:23.529Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -1566,27 +1639,30 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:21.180Z", + "modified": "2023-09-19T21:32:18.375Z", "name": "Antivirus/Antimalware", "description": "Use signatures or heuristics to detect malicious software. Within industrial control environments, antivirus/antimalware installations should be limited to assets that are not involved in critical or real-time operations. To minimize the impact to system availability, all products should first be validated within a representative test environment before deployment to production systems. (Citation: NCCIC August 2018)", "labels": [ "IEC 62443-3-3:2013 - SR 3.2", "IEC 62443-4-2:2019 - CR 3.2", - "NIST SP 800-53 Rev. 4 - SI-3" + "NIST SP 800-53 Rev. 4 - SI-3", + "NIST SP 800-53 Rev. 5 - SI-3" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", "created": "2019-06-11T17:08:33.055Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -1601,27 +1677,29 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T20:55:14.800Z", + "modified": "2023-09-19T21:48:44.925Z", "name": "Minimize Wireless Signal Propagation", "description": "Wireless signals frequently propagate outside of organizational boundaries, which provide opportunities for adversaries to monitor or gain unauthorized access to the wireless network. (Citation: CISA March 2010) To minimize this threat, organizations should implement measures to detect, understand, and reduce unnecessary RF propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)", "labels": [ "IEC 62443-3-3:2013 - SR 1.6", "IEC 62443-4-2:2019 - CR 1.6", - "NIST SP 800-53 Rev. 4 - SC-40" + "NIST SP 800-53 Rev. 5 - SC-40" ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_deprecated": false, "x_mitre_domains": [ "ics-attack" ], "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "type": "course-of-action", "id": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", "created": "2020-09-11T16:32:21.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -1641,7 +1719,9 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "modified": "2023-03-08T22:04:48.834Z", @@ -2135,7 +2215,7 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2022-10-12T17:33:00.482Z", + "modified": "2023-10-06T14:08:40.134Z", "name": "BlackEnergy", "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)", "x_mitre_platforms": [ @@ -2146,7 +2226,7 @@ "enterprise-attack", "ics-attack" ], - "x_mitre_version": "1.3", + "x_mitre_version": "1.4", "x_mitre_aliases": [ "BlackEnergy", "Black Energy" @@ -2174,7 +2254,7 @@ "labels": [ "malware" ], - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { @@ -2317,7 +2397,7 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-08T22:03:50.370Z", + "modified": "2023-10-17T20:05:34.648Z", "name": "LockerGoga", "description": "[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)", "x_mitre_platforms": [ @@ -2330,7 +2410,7 @@ ], "x_mitre_version": "2.0", "x_mitre_contributors": [ - "Joe Slowik - Dragos" + "Joe Slowik - Dragos" ], "x_mitre_aliases": [ "LockerGoga" @@ -2363,7 +2443,7 @@ "labels": [ "malware" ], - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { @@ -2801,16 +2881,18 @@ "x_mitre_deprecated": true }, { - "labels": [ - "malware" - ], + "modified": "2023-08-09T18:11:35.634Z", + "name": "Ryuk", + "description": "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)", "x_mitre_platforms": [ "Windows" ], + "x_mitre_deprecated": false, "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], + "x_mitre_version": "1.4", "x_mitre_contributors": [ "The DFIR Report, @TheDFIRReport", "Matt Brenton, Zurich Insurance Group" @@ -2818,18 +2900,16 @@ "x_mitre_aliases": [ "Ryuk" ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "malware", "id": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", "created": "2020-05-13T20:14:53.171Z", - "x_mitre_version": "1.3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", - "external_id": "S0446", - "url": "https://attack.mitre.org/software/S0446" + "url": "https://attack.mitre.org/software/S0446", + "external_id": "S0446" }, { "source_name": "Ryuk", @@ -2837,32 +2917,32 @@ }, { "source_name": "Bleeping Computer - Ryuk WoL", - "url": "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/", - "description": "Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021." + "description": "Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.", + "url": "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/" }, { "source_name": "FireEye Ryuk and Trickbot January 2019", - "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", - "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020." + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" }, { "source_name": "CrowdStrike Ryuk January 2019", - "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", - "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020." + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" }, { "source_name": "FireEye FIN6 Apr 2019", - "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", - "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019." + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" } ], - "x_mitre_deprecated": false, - "revoked": false, - "description": "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)", - "modified": "2022-05-24T21:10:44.381Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Ryuk", - "x_mitre_attack_spec_version": "2.1.0", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { @@ -3086,7 +3166,7 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-08T22:13:42.357Z", + "modified": "2023-10-06T14:09:52.833Z", "name": "KillDisk", "description": "[KillDisk](https://attack.mitre.org/software/S0607) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://attack.mitre.org/software/S0089) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://attack.mitre.org/software/S0607) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://attack.mitre.org/software/S0607) variants.(Citation: KillDisk Ransomware)(Citation: ESEST Black Energy Jan 2016)(Citation: Trend Micro KillDisk 1)(Citation: Trend Micro KillDisk 2)", "x_mitre_platforms": [ @@ -3098,7 +3178,7 @@ "enterprise-attack", "ics-attack" ], - "x_mitre_version": "1.1", + "x_mitre_version": "1.2", "x_mitre_aliases": [ "KillDisk", "Win32/KillDisk.NBI", @@ -3145,11 +3225,11 @@ "labels": [ "malware" ], - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2022-10-20T20:37:50.556Z", + "modified": "2023-10-17T20:09:38.062Z", "name": "Industroyer", "description": "[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)", "x_mitre_platforms": [ @@ -3163,7 +3243,7 @@ "x_mitre_version": "1.1", "x_mitre_contributors": [ "Dragos Threat Intelligence", - "Joe Slowik - Dragos" + "Joe Slowik - Dragos" ], "x_mitre_aliases": [ "Industroyer", @@ -3211,7 +3291,7 @@ "labels": [ "malware" ], - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { @@ -3607,7 +3687,7 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2022-10-24T15:09:07.609Z", + "modified": "2023-10-13T17:56:58.380Z", "name": "Block Command Message", "description": "Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "kill_chain_phases": [ @@ -3616,27 +3696,30 @@ "phase_name": "inhibit-response-function" } ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Device Configuration/Parameters" - ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", "x_mitre_data_sources": [ + "Process: Process Termination", "Operational Databases: Process History/Live Data", - "Network Traffic: Network Traffic Flow", "Application Log: Application Log Content", - "Operational Databases: Process/Event Alarm", - "Process: Process Termination" + "Network Traffic: Network Traffic Flow", + "Operational Databases: Process/Event Alarm" ], "type": "attack-pattern", "id": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", @@ -3656,11 +3739,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_is_subtechnique": false + ] }, { - "modified": "2022-10-24T15:09:07.609Z", + "modified": "2023-10-13T17:56:58.586Z", "name": "Service Stop", "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment. (Citation: Enterprise ATT&CK) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction. (Citation: Enterprise ATT&CK)", "kill_chain_phases": [ @@ -3669,42 +3751,38 @@ "phase_name": "inhibit-response-function" } ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_platforms": [ - "Human-Machine Interface", - "Control Server", - "Data Historian", - "Engineering Workstation" - ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_deprecated": false, + "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Windows Registry: Windows Registry Key Modification", - "Process: Process Termination", "File: File Modification", - "Process: OS API Execution", - "Process: Process Creation", "Command: Command Execution", - "Service: Service Metadata" + "Process: OS API Execution", + "Process: Process Termination", + "Service: Service Metadata", + "Windows Registry: Windows Registry Key Modification", + "Process: Process Creation" ], "type": "attack-pattern", "id": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "created": "2020-05-21T17:43:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T0881", "external_id": "T0881" }, - { - "source_name": "Enterprise ATT&CK", - "description": "Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 ", - "url": "https://attack.mitre.org/techniques/T1489/" - }, { "source_name": "Enterprise ATT&CK", "description": "Enterprise ATT&CK Enterprise ATT&CK Service Stop Retrieved. 2019/10/29 Service Stop Retrieved. 2019/10/29 ", @@ -3713,11 +3791,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_is_subtechnique": false + ] }, { - "modified": "2023-04-05T14:15:29.756Z", + "modified": "2023-10-13T17:56:58.786Z", "name": "Modify Parameter", "description": "Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. \n\nAn adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause [Impact](https://attack.mitre.org/tactics/TA0105) to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter.", "kill_chain_phases": [ @@ -3726,19 +3803,18 @@ "phase_name": "impair-process-control" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay", - "Human-Machine Interface" + "None" ], - "x_mitre_version": "1.2", + "x_mitre_version": "1.3", "x_mitre_data_sources": [ "Asset: Asset Inventory", "Application Log: Application Log Content", @@ -3759,12 +3835,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:56:58.991Z", "name": "Modify Controller Tasking", "description": "Adversaries may modify the tasking of a controller to allow for the execution of their own programs. This can allow an adversary to manipulate the execution flow and behavior of a controller. \n\nAccording to 61131-3, the association of a Task with a Program Organization Unit (POU) defines a task association. (Citation: IEC February 2013) An adversary may modify these associations or create new ones to manipulate the execution flow of a controller. Modification of controller tasking can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append.\n\nTasks have properties, such as interval, frequency and priority to meet the requirements of program execution. Some controller vendors implement tasks with implicit, pre-defined properties whereas others allow for these properties to be formulated explicitly. An adversary may associate their program with tasks that have a higher priority or execute associated programs more frequently. For instance, to ensure cyclic execution of their program on a Siemens controller, an adversary may add their program to the task, Organization Block 1 (OB1).", "kill_chain_phases": [ @@ -3773,7 +3847,7 @@ "phase_name": "execution" } ], - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ @@ -3782,12 +3856,12 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], - "x_mitre_version": "1.1", + "x_mitre_version": "1.2", "x_mitre_data_sources": [ - "Operational Databases: Device Alarm", "Application Log: Application Log Content", + "Operational Databases: Device Alarm", "Asset: Software" ], "type": "attack-pattern", @@ -3812,7 +3886,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:56:59.193Z", "name": "Wireless Sniffing", "description": "Adversaries may seek to capture radio frequency (RF) communication used for remote control and reporting in distributed environments. RF communication frequencies vary between 3 kHz to 300 GHz, although are commonly between 300 MHz to 6 GHz. (Citation: Candell, R., Hany, M., Lee, K. B., Liu,Y., Quimby, J., Remley, K. April 2018) The wavelength and frequency of the signal affect how the signal propagates through open air, obstacles (e.g. walls and trees) and the type of radio required to capture them. These characteristics are often standardized in the protocol and hardware and may have an effect on how the signal is captured. Some examples of wireless protocols that may be found in cyber-physical environments are: WirelessHART, Zigbee, WIA-FA, and 700 MHz Public Safety Spectrum. \n\nAdversaries may capture RF communications by using specialized hardware, such as software defined radio (SDR), handheld radio, or a computer with radio demodulator tuned to the communication frequency. (Citation: Bastille April 2017) Information transmitted over a wireless medium may be captured in-transit whether the sniffing device is the intended destination or not. This technique may be particularly useful to an adversary when the communications are not encrypted. (Citation: Gallagher, S. April 2017) \n\nIn the 2017 Dallas Siren incident, it is suspected that adversaries likely captured wireless command message broadcasts on a 700 MHz frequency during a regular test of the system. These messages were later replayed to trigger the alarm systems. (Citation: Gallagher, S. April 2017)", "kill_chain_phases": [ @@ -3875,7 +3949,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:56:59.396Z", "name": "Loss of View", "description": "Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)", "kill_chain_phases": [ @@ -3890,8 +3964,7 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Engineering Workstation" + "None" ], "x_mitre_version": "1.0", "type": "attack-pattern", @@ -3926,7 +3999,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2022-10-24T15:09:07.609Z", + "modified": "2023-10-13T17:56:59.593Z", "name": "Activate Firmware Update Mode", "description": "Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.", "kill_chain_phases": [ @@ -3935,23 +4008,22 @@ "phase_name": "inhibit-response-function" } ], - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay" - ], - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_contributors": [ "Joe Slowik - Dragos" ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", "Operational Databases: Device Alarm", - "Network Traffic: Network Traffic Content" + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", @@ -3970,7 +4042,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:56:59.793Z", "name": "Manipulation of Control", "description": "Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. \n\nMethods of Manipulation of Control include: \n\n* Man-in-the-middle \n* Spoof command message \n* Changing setpoints \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. (Citation: Shelley Smith February 2008) The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. (Citation: Bruce Schneier January 2008)", "kill_chain_phases": [ @@ -4023,7 +4095,7 @@ ] }, { - "modified": "2023-03-30T20:16:01.922Z", + "modified": "2023-10-13T17:56:59.992Z", "name": "Denial of Service", "description": "Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. \n\nSome ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. (Citation: ICS-CERT April 2017) \n\nAdversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a denial of service condition. \n\nAdversaries may have prior knowledge about industrial protocols or control devices used in the environment through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888). There are examples of adversaries remotely causing a [Device Restart/Shutdown](https://attack.mitre.org/techniques/T0816) by exploiting a vulnerability that induces uncontrolled resource consumption. (Citation: ICS-CERT August 2018) (Citation: Common Weakness Enumeration January 2019) (Citation: MITRE March 2018) ", "kill_chain_phases": [ @@ -4032,22 +4104,23 @@ "phase_name": "inhibit-response-function" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Application Log: Application Log Content", - "Operational Databases: Process History/Live Data", "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow" + "Network Traffic: Network Traffic Flow", + "Application Log: Application Log Content", + "Operational Databases: Process History/Live Data" ], "type": "attack-pattern", "id": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", @@ -4083,12 +4156,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2022-10-20T21:02:54.674Z", + "modified": "2023-10-13T17:57:00.184Z", "name": "Block Serial COM", "description": "Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. \n\nA serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available -- 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.", "kill_chain_phases": [ @@ -4097,24 +4168,24 @@ "phase_name": "inhibit-response-function" } ], - "x_mitre_detection": "", - "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Input/Output Server", - "Device Configuration/Parameters" - ], - "x_mitre_is_subtechnique": false, + "x_mitre_attack_spec_version": "2.1.0", "x_mitre_deprecated": false, + "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Operational Databases: Process/Event Alarm", - "Process: Process Termination", + "Network Traffic: Network Traffic Flow", "Operational Databases: Process History/Live Data", "Application Log: Application Log Content", - "Network Traffic: Network Traffic Flow" + "Process: Process Termination" ], "type": "attack-pattern", "id": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", @@ -4130,9 +4201,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { "modified": "2023-05-08T20:13:24.241Z", @@ -4175,7 +4244,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:00.378Z", "name": "Command-Line Interface", "description": "Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. (Citation: Enterprise ATT&CK January 2018) Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation.\n\nCLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.", "kill_chain_phases": [ @@ -4193,17 +4262,13 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Data Historian", - "Field Controller/RTU/PLC/IED", - "Human-Machine Interface", - "Input/Output Server" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Process: Process Creation", + "Command: Command Execution", "Application Log: Application Log Content", - "Command: Command Execution" + "Process: Process Creation" ], "type": "attack-pattern", "id": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", @@ -4227,7 +4292,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:00.575Z", "name": "Point & Tag Identification", "description": "Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables. (Citation: Dennis L. Sloatman September 2016) Tags are the identifiers given to points for operator convenience. \n\nCollecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.", "kill_chain_phases": [ @@ -4248,9 +4313,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Data Historian", - "Control Server", - "Human-Machine Interface" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ @@ -4279,7 +4342,7 @@ ] }, { - "modified": "2022-09-26T16:50:56.401Z", + "modified": "2023-10-13T17:57:00.768Z", "name": "Device Restart/Shutdown", "description": "Adversaries may forcibly restart or shutdown a device in an ICS environment to disrupt and potentially negatively impact physical processes. Methods of device restart and shutdown exist in some devices as built-in, standard functionalities. These functionalities can be executed using interactive device web interfaces, CLIs, and network protocol commands.\n\nUnexpected restart or shutdown of control system devices may prevent expected response functions happening during critical states.\n\nA device restart can also be a sign of malicious device modifications, as many updates require a shutdown in order to take effect.", "kill_chain_phases": [ @@ -4288,21 +4351,23 @@ "phase_name": "inhibit-response-function" } ], - "x_mitre_detection": "", - "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" - ], - "x_mitre_is_subtechnique": false, + "x_mitre_attack_spec_version": "2.1.0", "x_mitre_deprecated": false, + "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Operational Databases: Device Alarm", "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Traffic Content", - "Application Log: Application Log Content" + "Application Log: Application Log Content", + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", @@ -4318,12 +4383,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:00.969Z", "name": "User Execution", "description": "Adversaries may rely on a targeted organizations user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. \n\nAdversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. (Citation: Booz Allen Hamilton) Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012 delivered malware through spearphishing attachments which required user action to achieve execution. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", "kill_chain_phases": [ @@ -4341,17 +4404,16 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Engineering Workstation", - "Human-Machine Interface" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Application Log: Application Log Content", - "Process: Process Creation", - "Network Traffic: Network Connection Creation", - "Network Traffic: Network Traffic Content", "Command: Command Execution", - "File: File Access" + "Application Log: Application Log Content", + "Network Traffic: Network Connection Creation", + "File: File Access", + "Process: Process Creation", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", @@ -4385,7 +4447,7 @@ ] }, { - "modified": "2023-03-30T20:20:38.285Z", + "modified": "2023-10-13T17:57:01.165Z", "name": "Wireless Compromise", "description": "Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device. (Citation: Alexander Bolshev, Gleb Cherbov July 2014) (Citation: Alexander Bolshev March 2014) Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. \n\nA Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) The remote controller device allowed the student to interface with the trams network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. (Citation: Bruce Schneier January 2008) The controller then enabled initial access to the network, allowing the capture and replay of tram signals. (Citation: John Bill May 2017)", "kill_chain_phases": [ @@ -4394,6 +4456,7 @@ "phase_name": "initial-access" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_contributors": [ "Scott Dougherty" ], @@ -4403,15 +4466,14 @@ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Field Controller/RTU/PLC/IED", - "Input/Output Server" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ - "Application Log: Application Log Content", "Logon Session: Logon Session Creation", + "Application Log: Application Log Content", "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", @@ -4453,12 +4515,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:01.367Z", "name": "Change Operating Mode", "description": "Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic. [Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)", "kill_chain_phases": [ @@ -4480,13 +4540,12 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Safety Instrumented System/Protection Relay", - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Application Log: Application Log Content", "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content", "Operational Databases: Device Alarm" ], "type": "attack-pattern", @@ -4526,7 +4585,7 @@ ] }, { - "modified": "2023-03-30T20:13:55.599Z", + "modified": "2023-10-13T17:57:01.578Z", "name": "Alarm Suppression", "description": "Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.\n\nA Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. (Citation: Jos Wetzels, Marina Krotofil 2019) The method of suppression may greatly depend on the type of alarm in question: \n\n* An alarm raised by a protocol message \n* An alarm signaled with I/O \n* An alarm bit set in a flag (and read) \n\nIn ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.", "kill_chain_phases": [ @@ -4535,6 +4594,7 @@ "phase_name": "inhibit-response-function" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_contributors": [ "Marina Krotofil", "Jos Wetzels - Midnight Blue" @@ -4545,17 +4605,16 @@ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay", - "Device Configuration/Parameters" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ - "Operational Databases: Process History/Live Data", "Network Traffic: Network Traffic Flow", - "Operational Databases: Process/Event Alarm", - "Operational Databases: Device Alarm" + "Operational Databases: Process History/Live Data", + "Operational Databases: Device Alarm", + "Operational Databases: Process/Event Alarm" ], "type": "attack-pattern", "id": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", @@ -4576,12 +4635,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:01.778Z", "name": "Detect Operating Mode", "description": "Adversaries may gather information about a PLCs or controllers current operating mode. Operating modes dictate what change or maintenance functions can be manipulated and are often controlled by a key switch on the PLC (e.g., run, prog [program], and remote). Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below: \n\n* Program - This mode must be enabled before changes can be made to a devices program. This allows program uploads and downloads between the device and an engineering workstation. Often the PLCs logic Is halted, and all outputs may be forced off. (Citation: N.A. October 2017) \n* Run - Execution of the devices program occurs in this mode. Input and output (values, points, tags, elements, etc.) are monitored and used according to the programs logic.[Program Upload](https://attack.mitre.org/techniques/T0845) and [Program Download](https://attack.mitre.org/techniques/T0843) are disabled while in this mode. (Citation: Omron) (Citation: Machine Information Systems 2007) (Citation: N.A. October 2017) (Citation: PLCgurus 2021) \n* Remote - Allows for remote changes to a PLCs operation mode. (Citation: PLCgurus 2021) \n* Stop - The PLC and program is stopped, while in this mode, outputs are forced off. (Citation: Machine Information Systems 2007) \n* Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some memory while cold resets will reset all I/O and data registers. (Citation: Machine Information Systems 2007) \n* Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for monitoring, force set, resets, and more generally tuning or debugging of the system. Often monitor mode may be used as a trial for initialization. (Citation: Omron)", "kill_chain_phases": [ @@ -4599,7 +4656,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ @@ -4642,7 +4699,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:01.994Z", "name": "Loss of Protection", "description": "Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel. \n\nMany faults and abnormal conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable protective system functions as a prerequisite to subsequent attack execution or to allow for future faults and abnormal conditions to go unchecked. Detection of a Loss of Protection by operators can result in the shutdown of a process due to strict policies regarding protection systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.", "kill_chain_phases": [ @@ -4680,7 +4737,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:02.197Z", "name": "Monitor Process State", "description": "Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.", "kill_chain_phases": [ @@ -4695,11 +4752,7 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Control Server", - "Data Historian", - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ @@ -4723,7 +4776,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:02.398Z", "name": "Scripting", "description": "Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions. \n\nIn addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.", "kill_chain_phases": [ @@ -4741,15 +4794,15 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Engineering Workstation" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ "Command: Command Execution", - "Script: Script Execution", - "Module: Module Load", "Process: Process Creation", - "Process: Process Metadata" + "Process: Process Metadata", + "Module: Module Load", + "Script: Script Execution" ], "type": "attack-pattern", "id": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", @@ -4768,7 +4821,7 @@ ] }, { - "modified": "2023-03-17T15:14:31.276Z", + "modified": "2023-10-13T17:57:02.595Z", "name": "Remote System Information Discovery", "description": "An adversary may attempt to get detailed information about remote systems and their peripherals, such as make/model, role, and configuration. Adversaries may use information from Remote System Information Discovery to aid in targeting and shaping follow-on behaviors. For example, the system's operational role and model information can dictate whether it is a relevant target for the adversary's operational objectives. In addition, the system's configuration may be used to scope subsequent technique usage. \n\nRequests for system information are typically implemented using automation and management protocols and are often automatically requested by vendor software during normal operation. This information may be used to tailor management actions, such as program download and system or module firmware. An adversary may leverage this same information by issuing calls directly to the system's API.", "kill_chain_phases": [ @@ -4777,22 +4830,23 @@ "phase_name": "discovery" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "File: File Access", + "Network Traffic: Network Traffic Flow", "Network Traffic: Network Traffic Content", - "Process: Process Creation", - "Network Traffic: Network Traffic Flow" + "File: File Access", + "Process: Process Creation" ], "type": "attack-pattern", "id": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", @@ -4808,12 +4862,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:02.785Z", "name": "Program Upload", "description": "Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.", "kill_chain_phases": [ @@ -4828,14 +4880,13 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Safety Instrumented System/Protection Relay", - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", - "Application Log: Application Log Content", - "Network Traffic: Network Traffic Flow" + "Network Traffic: Network Traffic Flow", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", @@ -4854,7 +4905,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:02.990Z", "name": "Exploit Public-Facing Application", "description": "Adversaries may leverage weaknesses to exploit internet-facing software for initial access into an industrial network. Internet-facing software may be user applications, underlying networking implementations, an assets operating system, weak defenses, etc. Targets of this technique may be intentionally exposed for the purpose of remote management and visibility.\n\nAn adversary may seek to target public-facing applications as they may provide direct access into an ICS environment or the ability to move into the ICS network. Publicly exposed applications may be found through online tools that scan the internet for open ports and services. Version numbers for the exposed application may provide adversaries an ability to target specific known vulnerabilities. Exposed control protocol or remote access ports found in Commonly Used Port may be of interest by adversaries.", "kill_chain_phases": [ @@ -4872,7 +4923,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ @@ -4896,7 +4947,7 @@ ] }, { - "modified": "2023-03-30T19:09:43.744Z", + "modified": "2023-10-13T17:57:03.187Z", "name": "Data from Information Repositories", "description": "Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of information repositories include reference databases in the process environment, as well as databases in the corporate network that might contain information about the ICS.(Citation: Cybersecurity & Infrastructure Security Agency March 2018)\n\nInformation collected from these systems may provide the adversary with a better understanding of the operational environment, vendors used, processes, or procedures of the ICS.\n\nIn a campaign between 2011 and 2013 against ONG organizations, Chinese state-sponsored actors searched document repositories for specific information such as, system manuals, remote terminal unit (RTU) sites, personnel lists, documents that included the string SCAD*, user credentials, and remote dial-up access information. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", "kill_chain_phases": [ @@ -4905,20 +4956,22 @@ "phase_name": "collection" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Data Historian" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ - "Application Log: Application Log Content", "Logon Session: Logon Session Creation", - "Network Share: Network Share Access" + "Network Share: Network Share Access", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", @@ -4944,12 +4997,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-30T20:19:41.272Z", + "modified": "2023-10-13T17:57:03.395Z", "name": "Transient Cyber Asset", "description": "Adversaries may target devices that are transient across ICS networks and external networks. Normally, transient assets are brought into an environment by authorized personnel and do not remain in that environment on a permanent basis. (Citation: North American Electric Reliability Corporation June 2021) Transient assets are commonly needed to support management functions and may be more common in systems where a remotely managed asset is not feasible, external connections for remote access do not exist, or 3rd party contractor/vendor access is required. \n\nAdversaries may take advantage of transient assets in different ways. For instance, adversaries may target a transient asset when it is connected to an external network and then leverage its trusted access in another environment to launch an attack. They may also take advantage of installed applications and libraries that are used by legitimate end-users to interact with control system devices. \n\nTransient assets, in some cases, may not be deployed with a secure configuration leading to weaknesses that could allow an adversary to propagate malicious executable code, e.g., the transient asset may be infected by malware and when connected to an ICS environment the malware propagates onto other systems. ", "kill_chain_phases": [ @@ -4958,19 +5009,21 @@ "phase_name": "initial-access" } ], + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Engineering Workstation" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ - "Application Log: Application Log Content", - "Network Traffic: Network Traffic Flow" + "Network Traffic: Network Traffic Flow", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", @@ -4986,17 +5039,15 @@ { "source_name": "North American Electric Reliability Corporation June 2021", "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ", - "url": "https://www.nerc.com/files/glossary_of_terms.pdf" + "url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2022-10-20T20:46:11.459Z", + "modified": "2023-10-13T17:57:03.589Z", "name": "Manipulate I/O Image", "description": "Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. (Citation: Dr. Kelvin T. Erickson December 2010) During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules. \n\nOne of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.", "kill_chain_phases": [ @@ -5005,15 +5056,17 @@ "phase_name": "inhibit-response-function" } ], - "x_mitre_detection": "", - "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" - ], - "x_mitre_is_subtechnique": false, + "x_mitre_attack_spec_version": "2.1.0", "x_mitre_deprecated": false, + "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Asset: Software" @@ -5042,12 +5095,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:03.783Z", "name": "Network Sniffing", "description": "Network sniffing is the practice of using a network interface on a computer system to monitor or capture information (Citation: Enterprise ATT&CK January 2018) regardless of whether it is the specified destination for the information. \n\nAn adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis. \n\nIn addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.", "kill_chain_phases": [ @@ -5065,12 +5116,12 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Command: Command Execution", - "Process: Process Creation" + "Process: Process Creation", + "Command: Command Execution" ], "type": "attack-pattern", "id": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", @@ -5094,7 +5145,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:03.989Z", "name": "Rootkit", "description": "Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. (Citation: Enterprise ATT&CK January 2018) \n\nFirmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for the I/O that is attached to an asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable [Impact](https://attack.mitre.org/tactics/TA0105).", "kill_chain_phases": [ @@ -5116,7 +5167,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ @@ -5144,7 +5195,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:04.179Z", "name": "Automated Collection", "description": "Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.", "kill_chain_phases": [ @@ -5159,16 +5210,14 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay", - "Control Server" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Command: Command Execution", "Script: Script Execution", - "Network Traffic: Network Traffic Content", - "File: File Access" + "Command: Command Execution", + "File: File Access", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", @@ -5187,7 +5236,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2022-09-19T13:57:23.538Z", + "modified": "2023-10-13T17:57:04.376Z", "name": "Block Reporting Message", "description": "Adversaries may block or prevent a reporting message from reaching its intended target. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. By blocking these reporting messages, an adversary can potentially hide their actions from an operator.\n\nBlocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "kill_chain_phases": [ @@ -5196,23 +5245,23 @@ "phase_name": "inhibit-response-function" } ], - "x_mitre_detection": "", - "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Input/Output Server", - "Device Configuration/Parameters" - ], - "x_mitre_is_subtechnique": false, + "x_mitre_attack_spec_version": "2.1.0", "x_mitre_deprecated": false, + "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ + "Operational Databases: Process/Event Alarm", + "Process: Process Termination", "Application Log: Application Log Content", "Network Traffic: Network Traffic Flow", - "Process: Process Termination", - "Operational Databases: Process/Event Alarm", "Operational Databases: Process History/Live Data" ], "type": "attack-pattern", @@ -5239,12 +5288,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-04-05T14:16:02.811Z", + "modified": "2023-10-13T17:57:04.582Z", "name": "Unauthorized Command Message", "description": "Adversaries may send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, or without the logical preconditions to trigger their expected function. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device's actions. An adversary could potentially instruct a control systems device to perform an action that will cause an [Impact](https://attack.mitre.org/tactics/TA0105). (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011)\n\nIn the Dallas Siren incident, adversaries were able to send command messages to activate tornado alarm systems across the city without an impending tornado or other disaster. (Citation: Zack Whittaker April 2017) (Citation: Benjamin Freed March 2019)", "kill_chain_phases": [ @@ -5253,22 +5300,24 @@ "phase_name": "impair-process-control" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Flow", + "Operational Databases: Process History/Live Data", "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", "Operational Databases: Process/Event Alarm", - "Network Traffic: Network Traffic Content", - "Operational Databases: Process History/Live Data" + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", @@ -5299,12 +5348,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2022-09-19T14:12:22.878Z", + "modified": "2023-10-13T17:57:04.784Z", "name": "Data Destruction", "description": "Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. (Citation: Enterprise ATT&CK January 2018)\n\nData destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident.\n\nStandard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.", "kill_chain_phases": [ @@ -5313,26 +5360,26 @@ "phase_name": "inhibit-response-function" } ], - "x_mitre_detection": "", - "x_mitre_platforms": [ - "Control Server", - "Human-Machine Interface", - "Field Controller/RTU/PLC/IED" - ], - "x_mitre_is_subtechnique": false, - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", "x_mitre_contributors": [ "Matan Dobrushin - Otorio" ], + "x_mitre_deprecated": false, + "x_mitre_detection": "", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], + "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "File: File Deletion", "File: File Modification", - "Command: Command Execution", - "Process: Process Creation" + "Process: Process Creation", + "File: File Deletion", + "Command: Command Execution" ], "type": "attack-pattern", "id": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", @@ -5353,12 +5400,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:04.993Z", "name": "Manipulation of View", "description": "Adversaries may attempt to manipulate the information reported back to operators or controllers. This manipulation may be short term or sustained. During this time the process itself could be in a much different state than what is reported. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nOperators may be fooled into doing something that is harmful to the system in a loss of view situation. With a manipulated view into the systems, operators may issue inappropriate control sequences that introduce faults or catastrophic failures into the system. Business analysis systems can also be provided with inaccurate data leading to bad management decisions.", "kill_chain_phases": [ @@ -5376,9 +5421,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Engineering Workstation", - "Human-Machine Interface", - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.0", "type": "attack-pattern", @@ -5497,7 +5540,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:05.190Z", "name": "Indicator Removal on Host", "description": "Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.", "kill_chain_phases": [ @@ -5512,19 +5555,18 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ + "Command: Command Execution", "Process: OS API Execution", + "Windows Registry: Windows Registry Key Modification", "File: File Metadata", "Windows Registry: Windows Registry Key Deletion", + "File: File Deletion", "File: File Modification", - "Command: Command Execution", - "Windows Registry: Windows Registry Key Modification", - "Process: Process Creation", - "File: File Deletion" + "Process: Process Creation" ], "type": "attack-pattern", "id": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", @@ -5543,7 +5585,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:05.375Z", "name": "I/O Image", "description": "Adversaries may seek to capture process values related to the inputs and outputs of a PLC. During the scan cycle, a PLC reads the status of all inputs and stores them in an image table. (Citation: Nanjundaiah, Vaidyanath) The image table is the PLCs internal storage location where values of inputs/outputs for one scan are stored while it executes the user program. After the PLC has solved the entire logic program, it updates the output image table. The contents of this output image table are written to the corresponding output points in I/O Modules.\n\nThe Input and Output Image tables described above make up the I/O Image on a PLC. This image is used by the user program instead of directly interacting with physical I/O. (Citation: Spenneberg, Ralf 2016) \n\nAdversaries may collect the I/O Image state of a PLC by utilizing a devices [Native API](https://attack.mitre.org/techniques/T0834) to access the memory regions directly. The collection of the PLCs I/O state could be used to replace values or inform future stages of an attack.", "kill_chain_phases": [ @@ -5561,7 +5603,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ @@ -5594,7 +5636,7 @@ ] }, { - "modified": "2023-03-30T20:16:25.031Z", + "modified": "2023-10-13T17:57:05.576Z", "name": "Denial of View", "description": "Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAn adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment's data and processes may still be operational, but functioning in an unintended or adversarial manner. ", "kill_chain_phases": [ @@ -5603,12 +5645,14 @@ "phase_name": "impact" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "None" ], @@ -5642,12 +5686,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:05.776Z", "name": "Execution through API", "description": "Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software.", "kill_chain_phases": [ @@ -5665,7 +5707,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ @@ -5688,7 +5730,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:05.975Z", "name": "Supply Chain Compromise", "description": "Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment. \n\nSupply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment. \n\nCounterfeit devices may be introduced to the global supply chain posing safety and cyber risks to asset owners and operators. These devices may not meet the safety, engineering and manufacturing requirements of regulatory bodies but may feature tagging indicating conformance with industry standards. Due to the lack of adherence to standards and overall lesser quality, the counterfeit products may pose a serious safety and operational risk. (Citation: Control Global May 2019) \n\nYokogawa identified instances in which their customers received counterfeit differential pressure transmitters using the Yokogawa logo. The counterfeit transmitters were nearly indistinguishable with a semblance of functionality and interface that mimics the genuine product. (Citation: Control Global May 2019) \n\nF-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).", "kill_chain_phases": [ @@ -5706,12 +5748,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Data Historian", - "Field Controller/RTU/PLC/IED", - "Human-Machine Interface", - "Input/Output Server", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ @@ -5782,7 +5819,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:06.171Z", "name": "Loss of Safety", "description": "Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner. \n\nMany unsafe conditions in process control happen too quickly for a human operator to react to. Speed is critical in correcting these conditions to limit serious impacts such as Loss of Control and Property Damage. \n\nAdversaries may target and disable safety system functions as a prerequisite to subsequent attack execution or to allow for future unsafe conditionals to go unchecked. Detection of a Loss of Safety by operators can result in the shutdown of a process due to strict policies regarding safety systems. This can cause a Loss of Productivity and Revenue and may meet the technical goals of adversaries seeking to cause process disruptions.", "kill_chain_phases": [ @@ -5820,7 +5857,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:06.362Z", "name": "Loss of Productivity and Revenue", "description": "Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. \n\nIn cases where these operations or services are brought to a halt, the loss of productivity may eventually present an impact for the end-users or consumers of products and services. The disrupted supply-chain may result in supply shortages and increased prices, among other consequences. \n\nA ransomware attack on an Australian beverage company resulted in the shutdown of some manufacturing sites, including precautionary halts to protect key systems. (Citation: Paganini, Pierluigi June 2020) The company announced the potential for temporary shortages of their products following the attack. (Citation: Paganini, Pierluigi June 2020) (Citation: Lion Corporation June 2020) \n\nIn the 2021 Colonial Pipeline ransomware incident, the pipeline was unable to transport approximately 2.5 million barrels of fuel per day to the East Coast. (Citation: Colonial Pipeline Company May 2021)", "kill_chain_phases": [ @@ -5873,7 +5910,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:06.577Z", "name": "Spearphishing Attachment", "description": "Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T0863) to gain execution and access. (Citation: Enterprise ATT&CK October 2019) \n\nA Chinese spearphishing campaign running from December 9, 2011 through February 29, 2012, targeted ONG organizations and their employees. The emails were constructed with a high level of sophistication to convince employees to open the malicious file attachments. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", "kill_chain_phases": [ @@ -5891,17 +5928,14 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Engineering Workstation", - "Human-Machine Interface", - "Control Server", - "Data Historian" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", + "Process: Process Creation", "File: File Creation", - "Application Log: Application Log Content", - "Process: Process Creation" + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", @@ -5972,7 +6006,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:06.780Z", "name": "Drive-by Compromise", "description": "Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session. With this technique, the user's web browser is targeted and exploited simply by visiting the compromised website. \n\nThe adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. \n\nThe National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. (Citation: Cybersecurity & Infrastructure Security Agency March 2018) Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.", "kill_chain_phases": [ @@ -5994,11 +6028,11 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Process: Process Creation", - "Network Traffic: Network Connection Creation", + "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", + "Process: Process Creation", "File: File Creation", - "Network Traffic: Network Traffic Content" + "Network Traffic: Network Connection Creation" ], "type": "attack-pattern", "id": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", @@ -6022,7 +6056,7 @@ ] }, { - "modified": "2023-03-30T20:14:42.829Z", + "modified": "2023-10-13T17:57:06.993Z", "name": "Damage to Property", "description": "Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in [Loss of Safety](https://attack.mitre.org/techniques/T0880). Operations that result in [Loss of Control](https://attack.mitre.org/techniques/T0827) may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of [Loss of Productivity and Revenue](https://attack.mitre.org/techniques/T0828). \n\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. (Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops. (Citation: Shelley Smith February 2008) Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside. (Citation: Bruce Schneier January 2008)", "kill_chain_phases": [ @@ -6031,12 +6065,14 @@ "phase_name": "impact" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "None" ], @@ -6075,12 +6111,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-30T20:19:14.351Z", + "modified": "2023-10-13T17:57:07.260Z", "name": "Spoof Reporting Message", "description": "Adversaries may spoof reporting messages in control system environments for evasion and to impair process control. In control systems, reporting messages contain telemetry data (e.g., I/O values) pertaining to the current state of equipment and the industrial process. Reporting messages are important for monitoring the normal operation of a system or identifying important events such as deviations from expected values. \n\nIf an adversary has the ability to Spoof Reporting Messages, they can impact the control system in many ways. The adversary can Spoof Reporting Messages that state that the process is operating normally, as a form of evasion. The adversary could also Spoof Reporting Messages to make the defenders and operators think that other errors are occurring in order to distract them from the actual source of a problem. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) ", "kill_chain_phases": [ @@ -6093,21 +6127,23 @@ "phase_name": "impair-process-control" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ - "Windows Registry: Windows Registry Key Modification", - "Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow", - "Operational Databases: Device Alarm" + "Operational Databases: Device Alarm", + "Windows Registry: Windows Registry Key Modification", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", @@ -6128,12 +6164,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:07.457Z", "name": "Exploitation of Remote Services", "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for initial access into and lateral movement throughout the ICS environment to enable access to targeted systems. (Citation: Enterprise ATT&CK)\n\nICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (wormable) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts. (Citation: Joe Slowik April 2019)", "kill_chain_phases": [ @@ -6155,9 +6189,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Data Historian", - "Engineering Workstation" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ @@ -6191,7 +6223,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:07.653Z", "name": "Default Credentials", "description": "Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. (Citation: Keith Stouffer May 2015)\n\nDefault credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.", "kill_chain_phases": [ @@ -6209,16 +6241,12 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay", - "Control Server", - "Engineering Workstation" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Logon Session: Logon Session Creation", - "Network Traffic: Network Traffic Content" + "Network Traffic: Network Traffic Content", + "Logon Session: Logon Session Creation" ], "type": "attack-pattern", "id": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", @@ -6242,7 +6270,7 @@ ] }, { - "modified": "2023-03-30T20:16:55.602Z", + "modified": "2023-10-13T17:57:07.840Z", "name": "External Remote Services", "description": "Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. (Citation: Daniel Oakley, Travis Smith, Tripwire)\n\nExternal remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. \n\nAs they look for an entry point into the control system network, adversaries may begin searching for existing point-to-point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)\n", "kill_chain_phases": [ @@ -6251,21 +6279,22 @@ "phase_name": "initial-access" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Input/Output Server" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", "Logon Session: Logon Session Metadata", - "Network Traffic: Network Traffic Flow" + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", @@ -6291,12 +6320,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-29T16:17:27.903Z", + "modified": "2023-10-13T17:57:08.037Z", "name": "Brute Force I/O", "description": "Adversaries may repetitively or successively change I/O point values to perform an action. Brute Force I/O may be achieved by changing either a range of I/O point values or a single point value repeatedly to manipulate a process function. The adversary's goal and the information they have about the target environment will influence which of the options they choose. In the case of brute forcing a range of point values, the adversary may be able to achieve an impact without targeting a specific point. In the case where a single point is targeted, the adversary may be able to generate instability on the process function associated with that particular point. \n\nAdversaries may use Brute Force I/O to cause failures within various industrial processes. These failures could be the result of wear on equipment or damage to downstream equipment.", "kill_chain_phases": [ @@ -6305,20 +6332,21 @@ "phase_name": "impair-process-control" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Application Log: Application Log Content", "Operational Databases: Process History/Live Data", + "Application Log: Application Log Content", "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", @@ -6335,9 +6363,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { "modified": "2023-05-08T20:13:24.241Z", @@ -6377,7 +6403,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:08.233Z", "name": "Adversary-in-the-Middle", "description": "Adversaries with privileged network access may seek to modify network traffic in real time using adversary-in-the-middle (AiTM) attacks. (Citation: Gabriel Sanchez October 2017) This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a AiTM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. (Citation: Bonnie Zhu, Anthony Joseph, Shankar Sastry 2011) \n\nAn AiTM attack may allow an adversary to perform the following attacks: \n[Block Reporting Message](https://attack.mitre.org/techniques/T0804), [Spoof Reporting Message](https://attack.mitre.org/techniques/T0856), [Modify Parameter](https://attack.mitre.org/techniques/T0836), [Unauthorized Command Message](https://attack.mitre.org/techniques/T0855)", "kill_chain_phases": [ @@ -6398,18 +6424,16 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Field Controller/RTU/PLC/IED", - "Human-Machine Interface" + "None" ], "x_mitre_version": "2.0", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", "Windows Registry: Windows Registry Key Modification", - "Service: Service Creation", - "Application Log: Application Log Content", + "Process: Process Creation", "Network Traffic: Network Traffic Flow", - "Process: Process Creation" + "Service: Service Creation", + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", @@ -6438,7 +6462,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:08.425Z", "name": "Exploitation for Evasion", "description": "Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. \n\nAdversaries may have prior knowledge through [Remote System Information Discovery](https://attack.mitre.org/techniques/T0888) about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious [System Firmware](https://attack.mitre.org/techniques/T0857).", "kill_chain_phases": [ @@ -6456,8 +6480,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Safety Instrumented System/Protection Relay", - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ @@ -6480,7 +6503,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:08.613Z", "name": "Loss of Control", "description": "Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nThe German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report.(Citation: BSI State of IT Security 2014) These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace.", "kill_chain_phases": [ @@ -6581,7 +6604,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2023-03-13T13:32:08.619Z", + "modified": "2023-10-13T17:57:08.803Z", "name": "Hooking", "description": "Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for execution and privilege escalation means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. (Citation: Enterprise ATT&CK)\n\nOne type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process IAT, where pointers to imported API functions are stored. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "kill_chain_phases": [ @@ -6594,19 +6617,21 @@ "phase_name": "privilege-escalation" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Engineering Workstation" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ - "Process: Process Metadata", - "Process: OS API Execution" + "Process: OS API Execution", + "Process: Process Metadata" ], "type": "attack-pattern", "id": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", @@ -6632,9 +6657,7 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { "modified": "2023-05-08T20:13:24.241Z", @@ -6731,7 +6754,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:08.992Z", "name": "Graphical User Interface", "description": "Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard.\n\nIf physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine.", "kill_chain_phases": [ @@ -6749,14 +6772,14 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Module: Module Load", + "Process: Process Creation", "Command: Command Execution", - "Logon Session: Logon Session Creation", - "Process: Process Creation" + "Module: Module Load", + "Logon Session: Logon Session Creation" ], "type": "attack-pattern", "id": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", @@ -6775,7 +6798,7 @@ ] }, { - "modified": "2023-03-30T20:18:41.277Z", + "modified": "2023-10-13T17:57:09.193Z", "name": "Rogue Master", "description": "Adversaries may setup a rogue master to leverage control server functions to communicate with outstations. A rogue master can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master. Impersonating a master may also allow an adversary to avoid detection. \n\nIn the case of the 2017 Dallas Siren incident, adversaries used a rogue master to send command messages to the 156 distributed sirens across the city, either through a single rogue transmitter with a strong signal, or using many distributed repeaters. (Citation: Bastille April 2017) (Citation: Zack Whittaker April 2017)", "kill_chain_phases": [ @@ -6784,24 +6807,24 @@ "phase_name": "initial-access" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Control Server", - "Engineering Workstation" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ + "Asset: Asset Inventory", "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Traffic Content", - "Application Log: Application Log Content", "Operational Databases: Device Alarm", - "Asset: Asset Inventory" + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", @@ -6827,12 +6850,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:09.388Z", "name": "Native API", "description": "Adversaries may directly interact with the native OS application programming interface (API) to access system functions. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. (Citation: The MITRE Corporation May 2017) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. \n\nFunctionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as memcpy and direct operations on memory registers can be used to modify user and system memory space.", "kill_chain_phases": [ @@ -6850,12 +6871,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Data Historian", - "Field Controller/RTU/PLC/IED", - "Human-Machine Interface", - "Input/Output Server", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ @@ -6883,7 +6899,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:09.581Z", "name": "Loss of Availability", "description": "Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay) \n\nAdversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases.\n\nIn the 2021 Colonial Pipeline ransomware incident, pipeline operations were temporally halted on May 7th and were not fully restarted until May 12th. (Citation: Colonial Pipeline Company May 2021)", "kill_chain_phases": [ @@ -6941,7 +6957,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:09.780Z", "name": "Theft of Operational Information", "description": "Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data. (Citation: Mark Thompson March 2016) (Citation: Danny Yadron December 2015)", "kill_chain_phases": [ @@ -6986,7 +7002,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:09.988Z", "name": "System Firmware", "description": "System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. \n\nAn adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. (Citation: Basnight, Zachry, et al.)", "kill_chain_phases": [ @@ -7008,14 +7024,12 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Safety Instrumented System/Protection Relay", - "Field Controller/RTU/PLC/IED", - "Input/Output Server" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Application Log: Application Log Content", "Operational Databases: Device Alarm", + "Application Log: Application Log Content", "Firmware: Firmware Modification", "Network Traffic: Network Traffic Content" ], @@ -7041,7 +7055,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:10.181Z", "name": "Masquerading", "description": "Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. \n\nApplications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.", "kill_chain_phases": [ @@ -7059,19 +7073,18 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Control Server" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Scheduled Job: Scheduled Job Creation", "Service: Service Creation", - "Command: Command Execution", "File: File Modification", - "Service: Service Modification", "Process: Process Metadata", + "Command: Command Execution", + "Scheduled Job: Scheduled Job Modification", + "Service: Service Modification", "File: File Metadata", - "Scheduled Job: Scheduled Job Modification" + "Scheduled Job: Scheduled Job Creation" ], "type": "attack-pattern", "id": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", @@ -7090,7 +7103,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:10.374Z", "name": "Program Download", "description": "Adversaries may perform a program download to transfer a user program to a controller. \n\nVariations of program download, such as online edit and program append, allow a controller to continue running during the transfer and reconfiguration process without interruption to process control. However, before starting a full program download (i.e., download all) a controller may need to go into a stop state. This can have negative consequences on the physical process, especially if the controller is not able to fulfill a time-sensitive action. Adversaries may choose to avoid a download all in favor of an online edit or program append to avoid disrupting the physical process. An adversary may need to use the technique Detect Operating Mode or Change Operating Mode to make sure the controller is in the proper mode to accept a program download.\n\nThe granularity of control to transfer a user program in whole or parts is dictated by the management protocol (e.g., S7CommPlus, TriStation) and underlying controller API. Thus, program download is a high-level term for the suite of vendor-specific API calls used to configure a controllers user program memory space. \n\n[Modify Controller Tasking](https://attack.mitre.org/techniques/T0821) and [Modify Program](https://attack.mitre.org/techniques/T0889) represent the configuration changes that are transferred to a controller via a program download.", "kill_chain_phases": [ @@ -7108,15 +7121,14 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ + "Operational Databases: Device Alarm", "Network Traffic: Network Traffic Content", "Asset: Asset Inventory", - "Application Log: Application Log Content", - "Operational Databases: Device Alarm" + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", @@ -7135,7 +7147,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:10.581Z", "name": "Replication Through Removable Media", "description": "Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible. \n\nOperators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. (Citation: Kernkraftwerk Gundremmingen April 2016) (Citation: Trend Micro April 2016) The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. (Citation: Christoph Steitz, Eric Auchard April 2016) (Citation: Catalin Cimpanu April 2016) (Citation: Peter Dockrill April 2016) (Citation: Lee Mathews April 2016) (Citation: Sean Gallagher April 2016) (Citation: Dark Reading Staff April 2016) The plant has since checked for infection and cleaned up more than 1,000 computers. (Citation: BBC April 2016) An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution. (Citation: ESET April 2016)", "kill_chain_phases": [ @@ -7153,16 +7165,14 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Data Historian", - "Control Server" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ "Process: Process Creation", "File: File Creation", - "File: File Access", - "Drive: Drive Creation" + "Drive: Drive Creation", + "File: File Access" ], "type": "attack-pattern", "id": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", @@ -7231,7 +7241,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:10.768Z", "name": "Screen Capture", "description": "Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. (Citation: ICS-CERT October 2017) Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.", "kill_chain_phases": [ @@ -7246,7 +7256,7 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ @@ -7275,7 +7285,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:10.962Z", "name": "Hardcoded Credentials", "description": "Adversaries may leverage credentials that are hardcoded in software or firmware to gain an unauthorized interactive user session to an asset. Examples credentials that may be hardcoded in an asset include:\n\n* Username/Passwords\n* Cryptographic keys/Certificates\n* API tokens\n\nUnlike [Default Credentials](https://attack.mitre.org/techniques/T0812), these credentials are built into the system in a way that they either cannot be changed by the asset owner, or may be infeasible to change because of the impact it would cause to the control system operation. These credentials may be reused across whole product lines or device models and are often not published or known to the owner and operators of the asset. \n\nAdversaries may utilize these hardcoded credentials to move throughout the control system environment or provide reliable access for their tools to interact with industrial assets. \n", "kill_chain_phases": [ @@ -7300,12 +7310,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay", - "Control Server", - "Data Historian", - "Human-Machine Interface", - "Engineering Workstation" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ @@ -7329,7 +7334,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:11.152Z", "name": "Valid Accounts", "description": "Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. \n\nAdversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. (Citation: Booz Allen Hamilton) \n\nThe overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system.", "kill_chain_phases": [ @@ -7351,19 +7356,13 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Data Historian", - "Engineering Workstation", - "Field Controller/RTU/PLC/IED", - "Human-Machine Interface", - "Input/Output Server", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Logon Session: Logon Session Metadata", + "User Account: User Account Authentication", "Logon Session: Logon Session Creation", - "User Account: User Account Authentication" + "Logon Session: Logon Session Metadata" ], "type": "attack-pattern", "id": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", @@ -7387,7 +7386,7 @@ ] }, { - "modified": "2022-09-27T16:38:58.028Z", + "modified": "2023-10-13T17:57:11.342Z", "name": "Exploitation for Privilege Escalation", "description": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. (Citation: The MITRE Corporation) \n\nWhen initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods. (Citation: The MITRE Corporation)", "kill_chain_phases": [ @@ -7396,16 +7395,17 @@ "phase_name": "privilege-escalation" } ], - "x_mitre_detection": "", - "x_mitre_platforms": [ - "Human-Machine Interface", - "Safety Instrumented System/Protection Relay" - ], - "x_mitre_is_subtechnique": false, + "x_mitre_attack_spec_version": "2.1.0", "x_mitre_deprecated": false, + "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], + "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_platforms": [ + "None" + ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Application Log: Application Log Content" @@ -7429,12 +7429,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:11.536Z", "name": "Remote System Discovery", "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for subsequent Lateral Movement or Discovery techniques. Functionality could exist within adversary tools to enable this, but utilities available on the operating system or vendor software could also be used. (Citation: Enterprise ATT&CK January 2018)", "kill_chain_phases": [ @@ -7452,18 +7450,14 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Data Historian", - "Safety Instrumented System/Protection Relay", - "Field Controller/RTU/PLC/IED", - "Human-Machine Interface" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ + "File: File Access", "Process: Process Creation", "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow", - "File: File Access" + "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", @@ -7526,7 +7520,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:11.730Z", "name": "Connection Proxy", "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications.\n\nThe definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.\n\nThe network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. (Citation: Enterprise ATT&CK January 2018)", "kill_chain_phases": [ @@ -7548,8 +7542,8 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Traffic Content" + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", @@ -7573,7 +7567,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:11.924Z", "name": "Standard Application Layer Protocol", "description": "Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.", "kill_chain_phases": [ @@ -7588,15 +7582,12 @@ ], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Control Server", - "Data Historian", - "Engineering Workstation" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow" + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", @@ -7666,7 +7657,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:12.125Z", "name": "Remote Services", "description": "Adversaries may leverage remote services to move between assets and network segments. These services are often used to allow operators to interact with systems remotely within the network, some examples are RDP, SMB, SSH, and other similar mechanisms. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) (Citation: Dragos December 2017) (Citation: Joe Slowik April 2019) \n\nRemote services could be used to support remote access, data transmission, authentication, name resolution, and other remote functions. Further, remote services may be necessary to allow operators and administrators to configure systems within the network from their engineering or management workstations. An adversary may use this technique to access devices which may be dual-homed (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017) to multiple network segments, and can be used for [Program Download](https://attack.mitre.org/techniques/T0843) or to execute attacks on control devices directly through [Valid Accounts](https://attack.mitre.org/techniques/T0859).\n\nSpecific remote services (RDP & VNC) may be a precursor to enable [Graphical User Interface](https://attack.mitre.org/techniques/T0823) execution on devices such as HMIs or engineering workstation software.\n\nBased on incident data, CISA and FBI assessed that Chinese state-sponsored actors also compromised various authorized remote access channels, including systems designed to transfer data and/or allow access between corporate and ICS networks. (Citation: CISA AA21-201A Pipeline Intrusion July 2021)", "kill_chain_phases": [ @@ -7691,19 +7682,17 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Engineering Workstation", - "Human-Machine Interface", - "Control Server" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow", "Module: Module Load", - "Network Share: Network Share Access", - "Process: Process Creation", "Logon Session: Logon Session Creation", + "Process: Process Creation", + "Command: Command Execution", "Network Traffic: Network Connection Creation", - "Command: Command Execution" + "Network Share: Network Share Access" ], "type": "attack-pattern", "id": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", @@ -7779,7 +7768,7 @@ "x_mitre_is_subtechnique": false }, { - "modified": "2023-03-30T20:15:14.260Z", + "modified": "2023-10-13T17:57:12.329Z", "name": "Denial of Control", "description": "Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)\n\nIn the 2017 Dallas Siren incident operators were unable to disable the false alarms from the Office of Emergency Management headquarters. (Citation: Mark Loveless April 2017)", "kill_chain_phases": [ @@ -7788,12 +7777,14 @@ "phase_name": "impact" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ "None" ], @@ -7832,12 +7823,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-30T20:17:43.803Z", + "modified": "2023-10-13T17:57:12.528Z", "name": "Modify Alarm Settings", "description": "Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. \n\nIf an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a [Impact](https://attack.mitre.org/tactics/TA0105) could occur. \n\nIn ICS environments, the adversary may have to use [Alarm Suppression](https://attack.mitre.org/techniques/T0878) or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. (Citation: Jos Wetzels, Marina Krotofil 2019) Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. ", "kill_chain_phases": [ @@ -7846,25 +7835,23 @@ "phase_name": "inhibit-response-function" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Control Server", - "Safety Instrumented System/Protection Relay", - "Field Controller/RTU/PLC/IED", - "Device Configuration/Parameters" + "None" ], "x_mitre_version": "1.2", "x_mitre_data_sources": [ "Application Log: Application Log Content", + "Asset: Asset Inventory", "Operational Databases: Process History/Live Data", - "Network Traffic: Network Traffic Content", - "Asset: Asset Inventory" + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", @@ -7885,12 +7872,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:12.723Z", "name": "Commonly Used Port", "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples provided below. \n \n * TCP:80 (HTTP) \n * TCP:443 (HTTPS) \n * TCP/UDP:53 (DNS) \n * TCP:1024-4999 (OPC on XP/Win2k3) \n * TCP:49152-65535 (OPC on Vista and later) \n * TCP:23 (TELNET) \n * UDP:161 (SNMP) \n * TCP:502 (MODBUS) \n * TCP:102 (S7comm/ISO-TSAP) \n * TCP:20000 (DNP3) \n * TCP:44818 (Ethernet/IP)", "kill_chain_phases": [ @@ -7911,16 +7896,12 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Safety Instrumented System/Protection Relay", - "Field Controller/RTU/PLC/IED", - "Human-Machine Interface", - "Control Server", - "Engineering Workstation" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow" + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", @@ -7939,7 +7920,7 @@ ] }, { - "modified": "2023-05-08T18:58:24.092Z", + "modified": "2023-10-13T17:57:12.926Z", "name": "Project File Infection", "description": "Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. (Citation: Beckhoff) Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further [Execution](https://attack.mitre.org/tactics/TA0104) and [Persistence](https://attack.mitre.org/tactics/TA0110) techniques. (Citation: PLCdev) \n\nAdversaries may export their own code into project files with conditions to execute at specific intervals. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing. (Citation: PLCdev)", "kill_chain_phases": [ @@ -7948,15 +7929,16 @@ "phase_name": "persistence" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Engineering Workstation", - "Human-Machine Interface" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ @@ -7991,12 +7973,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:13.131Z", "name": "Network Connection Enumeration", "description": "Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as Netstat(Citation: Netstat), in conjunction with [System Firmware](https://attack.mitre.org/techniques/T0857), then they can determine the role of certain devices on the network (Citation: MITRE). The adversary can also use [Network Sniffing](https://attack.mitre.org/techniques/T0842) to watch network traffic for details about the source, destination, protocol, and content.", "kill_chain_phases": [ @@ -8014,7 +7994,7 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ @@ -8050,7 +8030,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:13.327Z", "name": "Lateral Tool Transfer", "description": "Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. (Citation: Enterprise ATT&CK) Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. (Citation: Enterprise ATT&CK)\n\nIn control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.", "kill_chain_phases": [ @@ -8068,19 +8048,17 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Human-Machine Interface", - "Control Server", - "Data Historian" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", - "Process: Process Creation", - "File: File Creation", - "File: File Metadata", "Network Share: Network Share Access", - "Network Traffic: Network Traffic Flow", - "Command: Command Execution" + "File: File Metadata", + "File: File Creation", + "Network Traffic: Network Traffic Content", + "Command: Command Execution", + "Process: Process Creation", + "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", @@ -8104,7 +8082,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:13.531Z", "name": "Module Firmware", "description": "Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. \n\nThis technique is similar to [System Firmware](https://attack.mitre.org/techniques/T0857), but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. (Citation: Daniel Peck, Dale Peterson January 2009) \n\nAn easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: (Citation: Daniel Peck, Dale Peterson January 2009) \n\n* Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. \n* Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. \n* Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. \n* A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. \n* Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.", "kill_chain_phases": [ @@ -8126,14 +8104,13 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", - "Application Log: Application Log Content", "Operational Databases: Device Alarm", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", "Firmware: Firmware Modification" ], "type": "attack-pattern", @@ -8158,7 +8135,7 @@ ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-13T17:57:13.719Z", "name": "Internet Accessible Device", "description": "Adversaries may gain access into industrial environments through systems exposed directly to the internet for remote access rather than through [External Remote Services](https://attack.mitre.org/techniques/T0822). Internet Accessible Devices are exposed to the internet unintentionally or intentionally without adequate protections. This may allow for adversaries to move directly into the control system network. Access onto these devices is accomplished without the use of exploits, these would be represented within the [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T0819) technique.\n\nAdversaries may leverage built in functions for remote access which may not be protected or utilize minimal legacy protections that may be targeted. (Citation: NCCIC January 2014) These services may be discoverable through the use of online scanning tools. \n\nIn the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing. (Citation: NCCIC January 2014) (Citation: Danny Yadron December 2015) (Citation: Mark Thompson March 2016)\n\nIn Trend Micros manufacturing deception operations adversaries were detected leveraging direct internet access to an ICS environment through the exposure of operational protocols such as Siemens S7, Omron FINS, and EtherNet/IP, in addition to misconfigured VNC access. (Citation: Stephen Hilt, Federico Maggi, Charles Perine, Lord Remorin, Martin Rsler, and Rainer Vosseler)", "kill_chain_phases": [ @@ -8176,18 +8153,13 @@ "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Control Server", - "Data Historian", - "Field Controller/RTU/PLC/IED", - "Human-Machine Interface", - "Input/Output Server", - "Safety Instrumented System/Protection Relay" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ "Logon Session: Logon Session Metadata", - "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow" + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", @@ -8226,7 +8198,7 @@ ] }, { - "modified": "2023-04-05T14:14:48.109Z", + "modified": "2023-10-13T17:57:13.921Z", "name": "Data from Local System", "description": "Adversaries may target and collect data from local system sources, such as file systems, configuration files, or local databases. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes.\n\nAdversaries may do this using [Command-Line Interface](https://attack.mitre.org/techniques/T0807) or [Scripting](https://attack.mitre.org/techniques/T0853) techniques to interact with the file system to gather information. Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T0802) on the local system. ", "kill_chain_phases": [ @@ -8235,27 +8207,24 @@ "phase_name": "collection" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED", - "Safety Instrumented System/Protection Relay", - "Control Server", - "Input/Output Server", - "Human-Machine Interface", - "Engineering Workstation" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Command: Command Execution", - "Process: OS API Execution", + "File: File Access", "Process: Process Creation", "Script: Script Execution", - "File: File Access" + "Process: OS API Execution", + "Command: Command Execution" ], "type": "attack-pattern", "id": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", @@ -8271,12 +8240,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-04-07T13:40:53.842Z", + "modified": "2023-10-13T17:57:14.123Z", "name": "Change Credential", "description": "Adversaries may modify software and device credentials to prevent operator and responder access. Depending on the device, the modification or addition of this password could prevent any device configuration actions from being accomplished and may require a factory reset or replacement of hardware. These credentials are often built-in features provided by the device vendors as a means to restrict access to management interfaces.\n\nAn adversary with access to valid or hardcoded credentials could change the credential to prevent future authorized device access. Change Credential may be especially damaging when paired with other techniques such as Modify Program, Data Destruction, or Modify Controller Tasking. In these cases, a device’s configuration may be destroyed or include malicious actions for the process environment, which cannot not be removed through normal device configuration actions. \n\nAdditionally, recovery of the device and original configuration may be difficult depending on the features provided by the device. In some cases, these passwords cannot be removed onsite and may require that the device be sent back to the vendor for additional recovery steps.\n\n\nA chain of incidents occurred in Germany, where adversaries locked operators out of their building automation system (BAS) controllers by enabling a previously unset BCU key. (Citation: German BAS Lockout Dec 2021) \n", "kill_chain_phases": [ @@ -8285,6 +8252,7 @@ "phase_name": "inhibit-response-function" } ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_contributors": [ "Felix Eberstaller" ], @@ -8294,13 +8262,14 @@ "ics-attack" ], "x_mitre_is_subtechnique": false, + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", - "Operational Databases: Device Alarm" + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", @@ -8321,12 +8290,10 @@ ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { - "modified": "2023-03-09T18:38:51.471Z", + "modified": "2023-10-20T17:01:10.138Z", "name": "Modify Program", "description": "Adversaries may modify or add a program on a controller to affect how it interacts with the physical process, peripheral devices and other hosts on the network. Modification to controller programs can be accomplished using a Program Download in addition to other types of program modification such as online edit and program append. \n\nProgram modification encompasses the addition and modification of instructions and logic contained in Program Organization Units (POU) (Citation: IEC February 2013) and similar programming elements found on controllers. This can include, for example, adding new functions to a controller, modifying the logic in existing functions and making new calls from one function to another. \n\nSome programs may allow an adversary to interact directly with the native API of the controller to take advantage of obscure features or vulnerabilities.", "kill_chain_phases": [ @@ -8335,23 +8302,21 @@ "phase_name": "persistence" } ], - "x_mitre_attack_spec_version": "2.1.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": [ "ics-attack" ], "x_mitre_is_subtechnique": false, - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": [ - "Field Controller/RTU/PLC/IED" + "None" ], - "x_mitre_version": "1.1", + "x_mitre_version": "1.2", "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", "Operational Databases: Device Alarm", "Asset: Software", - "Application Log: Application Log Content", - "Network Traffic: Network Traffic Content" + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", @@ -8370,303 +8335,45 @@ "url": "https://webstore.iec.ch/publication/4552" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ] - }, - { - "type": "relationship", - "id": "relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T19:50:10.284Z", - "description": "Monitor for processes spawning from known command shell applications (e.g., PowerShell, Bash). Benign activity will need to be allow-listed. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.200Z", - "relationship_type": "mitigates", - "description": "Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.\n", - "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", - "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T19:19:04.853Z", - "description": "Monitor logon activity for unexpected or unusual access to devices from the Internet.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", - "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.218Z", - "relationship_type": "mitigates", - "description": "Apply DLP to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).\n", - "source_ref": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5", - "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--107d9a23-991b-44f5-97f6-7f6983c7013a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.099Z", - "relationship_type": "mitigates", - "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--7258c355-677c-452d-b1fc-27767232437b", - "created": "2019-03-26T16:19:52.358Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "David Voreacos, Katherine Chinglinsky, Riley Griffin December 2019", - "description": "David Voreacos, Katherine Chinglinsky, Riley Griffin 2019, December 03 Merck Cyberattacks $1.3 Billion Question: Was It an Act of War? Retrieved. 2019/12/06 ", - "url": "https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:59:02.909Z", - "description": "[NotPetya](https://attack.mitre.org/software/S0368) disrupted manufacturing facilities supplying vaccines, resulting in a halt of production and the inability to meet demand for specific vaccines. (Citation: David Voreacos, Katherine Chinglinsky, Riley Griffin December 2019)", - "relationship_type": "uses", - "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", - "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--d8911566-f622-4a01-b765-514dbbfd8201", - "created": "2022-09-28T20:27:01.345Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--007a2c53-fc5c-4750-aff0-defb282e178a", + "created": "2023-09-29T16:30:30.829Z", "revoked": false, - "external_references": [ - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-13T16:53:47.447Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can deploy Tcpdump to sniff network traffic and collect PCAP files.(Citation: Wylie-22) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "modified": "2023-09-29T16:30:30.829Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_deprecated": false, "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--92634d06-42e5-407f-bcb7-cafb1ddeafce", - "created": "2018-10-17T00:14:20.652Z", + "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos December 2017", - "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", - "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:06:08.814Z", - "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) used valid credentials when laterally moving through RDP jump boxes into the ICS environment. (Citation: Dragos December 2017)", - "relationship_type": "uses", - "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--3c341d13-938e-4535-ac75-10a79abc7017", - "created": "2022-05-11T16:22:58.808Z", + "id": "relationship--00b98fa6-4913-40a4-8920-befed8621c41", + "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:46:17.575Z", - "description": "Monitor for application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution.", + "modified": "2022-09-26T15:15:33.180Z", + "description": "Monitor ICS asset application logs that indicate alarm settings have changed, although not all assets will produce such logs.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.115Z", - "relationship_type": "mitigates", - "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", - "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", - "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--53a54e4a-2b38-4b0c-8f60-252a68767443", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:12:58.883Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.061Z", - "relationship_type": "mitigates", - "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-31T19:58:55.128Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a Primary Variable Out of Limits misdirecting operators from understanding protective relay status. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020", - "description": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA 2020, October 15 Indictment: Conspiracy to Commit an Offense Against the United States Retrieved. 2021/04/07 ", - "url": "https://www.justice.gov/opa/press-release/file/1328521/download" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:53:50.448Z", - "description": "In the Ukraine 2015 incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) sent spearphishing attachments to three energy distribution companies containing malware to gain access to victim systems. (Citation: UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -8674,105 +8381,43 @@ }, { "type": "relationship", - "id": "relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07", - "created": "2023-03-31T17:45:32.860Z", + "id": "relationship--00b9e63b-57a7-408e-83d6-fc03535010a6", + "created": "2023-09-27T14:39:33.141Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Dragos Crashoverride 2018", - "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", - "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2023-04-07T16:12:03.917Z", - "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized VBS and batch scripts for file movement and as wrappers for PowerShell execution.(Citation: Dragos Crashoverride 2018)", + "modified": "2023-09-27T15:17:22.734Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used Valid Accounts taken from the Windows Domain Controller to access the control system Virtual Private Network (VPN) used by grid operators. (Citation: Booz Allen Hamilton)", "relationship_type": "uses", - "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "type": "relationship", - "id": "relationship--aaacfa83-033f-4555-ba6b-ecc7692a25aa", - "created": "2023-03-30T19:03:59.066Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T19:03:59.066Z", - "description": "Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f", - "created": "2023-03-10T20:34:55.362Z", - "revoked": false, - "external_references": [ - { - "source_name": "Marshall Abrams July 2008", - "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", - "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-10T20:34:55.362Z", - "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary suppressed alarm reporting to the central computer.(Citation: Marshall Abrams July 2008)", - "relationship_type": "uses", - "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", - "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f", + "id": "relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.218Z", - "relationship_type": "mitigates", - "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.178Z", + "modified": "2022-05-06T17:47:24.104Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "external_references": [ { "source_name": "Department of Homeland Security September 2016", @@ -8786,47 +8431,59 @@ }, { "type": "relationship", - "id": "relationship--0b7f643e-8975-4998-acbb-7405fa944a68", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--011f1d16-c9f1-48ac-94f1-165466c155f8", + "created": "2023-09-29T18:43:33.176Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:54:38.303Z", - "description": "Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Also monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "modified": "2023-09-29T18:43:33.176Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--1f8abf6f-0dd0-4449-b555-733fe7296177", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd", + "created": "2023-09-29T16:30:58.431Z", "revoked": false, - "external_references": [ - { - "source_name": "Jos Wetzels January 2018", - "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", - "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T18:24:19.351Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System. (Citation: Jos Wetzels January 2018)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "modified": "2023-09-29T16:30:58.431Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--01335508-22bb-4185-a7e2-49ec9bee6423", + "created": "2023-09-28T20:15:20.293Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:15:20.293Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { @@ -8834,56 +8491,13 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3", + "id": "relationship--01b4a92f-da42-4dfa-8d59-53709b65940e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.137Z", + "modified": "2022-05-06T17:47:24.203Z", "relationship_type": "mitigates", - "description": "Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n", - "source_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", - "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:26:34.069Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) toggles breakers to the open state utilizing unauthorized command messages. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.202Z", - "relationship_type": "mitigates", - "description": "Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n", - "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "description": "Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -8891,109 +8505,75 @@ }, { "type": "relationship", - "id": "relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Hydro", - "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", - "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" - }, - { - "source_name": "Kevin Beaumont", - "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", - "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:56:30.836Z", - "description": "While Norsk Hydro attempted to recover from a [LockerGoga](https://attack.mitre.org/software/S0372) infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity. (Citation: Kevin Beaumont)(Citation: Hydro)", - "relationship_type": "uses", - "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", - "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.069Z", - "relationship_type": "mitigates", - "description": "Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC).\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--87eb5825-c918-444f-8da5-67da9eea9906", - "created": "2022-09-26T17:14:52.427Z", + "id": "relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0", + "created": "2023-09-29T18:42:27.894Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T17:14:52.427Z", - "description": "Monitor device application logs for firmware changes, although not all devices will produce such logs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "modified": "2023-09-29T18:42:27.894Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_deprecated": false, "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "type": "relationship", + "id": "relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124", + "created": "2023-09-29T18:55:47.037Z", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "relationship", - "id": "relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3", + "modified": "2023-09-29T18:55:47.037Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.120Z", - "relationship_type": "mitigates", - "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", - "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "external_references": [ - { - "source_name": "Dan Goodin March 2017", - "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", - "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--75a60046-c4d7-498a-b256-9a93b5992dcc", - "created": "2022-05-11T16:22:58.805Z", + "id": "relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50", + "created": "2023-09-29T17:42:44.516Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:42:44.516Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0278ddbc-67d5-444d-8082-bf9974dee920", + "created": "2022-05-11T16:22:58.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:55:46.014Z", - "description": "Monitor for unusual processes with internal network connections creating files on-system which may be suspicious. ", + "modified": "2022-10-14T16:47:45.775Z", + "description": "Monitor for an authentication attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "source_ref": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -9004,55 +8584,69 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--c5fd0969-c151-4849-94c2-83e2e208cff7", + "id": "relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.168Z", + "modified": "2022-05-06T17:47:24.177Z", "relationship_type": "mitigates", - "description": "Ensure that wired and/or wireless traffic is encrypted when feasible. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. (Citation: Keith Stouffer May 2015)\n", - "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - } - ], + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { + "type": "relationship", + "id": "relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c", + "created": "2023-09-29T17:59:31.091Z", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "relationship", - "id": "relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757", + "modified": "2023-09-29T17:59:31.091Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.180Z", - "relationship_type": "mitigates", - "description": "All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7", + "id": "relationship--033b4401-261f-498b-89f3-2bad9ff5907a", + "created": "2023-09-29T17:58:15.338Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:58:15.338Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2023-03-21T13:48:51.528Z", - "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "modified": "2023-03-08T22:27:54.588Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "relationship_type": "mitigates", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_deprecated": false, "x_mitre_version": "1.0", @@ -9060,121 +8654,40 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--b3b24837-83ed-46c5-ba80-66a832c7072e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.062Z", - "relationship_type": "mitigates", - "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--dc35c44a-a90c-48a1-8811-af2618216e42", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57", + "created": "2023-09-29T16:29:03.438Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2023-03-17T16:45:08.648Z", - "description": "Use strong multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials. Be aware of multi-factor authentication interception techniques for some implementations.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "modified": "2023-09-29T16:29:03.438Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--e0aee02c-b424-4781-be10-793d71594c31", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", - "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", - "url": "https://www.f-secure.com/weblog/archives/00002718.html" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:23:47.107Z", - "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) RAT is distributed through a trojanized installer attached to emails. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", - "relationship_type": "uses", - "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13", - "created": "2020-09-21T17:59:24.739Z", + "id": "relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022", + "created": "2022-09-27T17:39:15.655Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2023-03-21T16:44:01.639Z", - "description": "To protect against AiTM, authentication mechanisms should not send credentials across the network in plaintext and should also implement mechanisms to prevent replay attacks (such as nonces or timestamps). Challenge-response based authentication techniques that do not directly send credentials over the network provide better protection from AiTM.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:33:22.909Z", - "description": "Monitor for changes made to Windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users.", + "modified": "2022-10-14T16:56:24.399Z", + "description": "Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as Server Message Block (SMB).", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--567acebd-4ba2-4723-a74d-514992321ccc", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:03:27.702Z", - "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", + "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -9183,3898 +8696,18 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b", + "id": "relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.209Z", "relationship_type": "mitigates", - "description": "Ensure proper network segmentation between higher level corporate resources and the control process environment.\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab", - "created": "2021-04-13T12:28:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Ben Hunter and Fred Gutierrez July 2020", - "description": "Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ", - "url": "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems" - }, - { - "source_name": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020", - "description": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly 2020, July 15 Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT Retrieved. 2021/04/12 ", - "url": "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:45:28.094Z", - "description": "Before encrypting the process, [EKANS](https://attack.mitre.org/software/S0605) first kills the process if its name matches one of the processes defined on the kill-list. (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. (Citation: Ben Hunter and Fred Gutierrez July 2020)", - "relationship_type": "uses", - "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654", - "created": "2021-04-12T10:12:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", - "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", - "url": "https://www.f-secure.com/weblog/archives/00002718.html" - }, - { - "source_name": "ICS-CERT August 2018", - "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", - "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:22:33.586Z", - "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", - "relationship_type": "uses", - "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd", - "created": "2022-09-27T15:27:00.387Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T15:27:00.387Z", - "description": "Networking devices such as switches may log when new client devices connect (e.g., SNMP notifications). Monitor for any logs documenting changes to network connection status to determine when a new connection has occurred, including the resulting addresses (e.g., IP, MAC) of devices on that network.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28", - "created": "2021-04-13T12:28:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Davey Winder June 2020", - "description": "Davey Winder 2020, June 10 Honda Hacked: Japanese Car Giant Confirms Cyber Attack On Global Operations Retrieved. 2021/04/12 ", - "url": "https://www.forbes.com/sites/daveywinder/2020/06/10/honda-hacked-japanese-car-giant-confirms-cyber-attack-on-global-operations-snake-ransomware/?sh=2725c35753ad" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:47:16.775Z", - "description": "[EKANS](https://attack.mitre.org/software/S0605) infection resulted in a temporary production loss within a Honda manufacturing plant. (Citation: Davey Winder June 2020)", - "relationship_type": "uses", - "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", - "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Department of Homeland Security October 2009", - "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-19T21:23:21.586Z", - "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", - "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--973f5884-a076-413e-ac96-f0bd01375fb6", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T11:15:26.506Z", - "modified": "2022-05-06T17:47:24.153Z", - "relationship_type": "mitigates", - "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--966b59c0-8641-432c-84f7-b2a712004d74", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:52:41.680Z", - "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335", - "created": "2021-04-13T12:28:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Ben Hunter and Fred Gutierrez July 2020", - "description": "Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ", - "url": "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:46:56.223Z", - "description": "[EKANS](https://attack.mitre.org/software/S0605) performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system. (Citation: Ben Hunter and Fred Gutierrez July 2020)", - "relationship_type": "uses", - "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", - "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:43:54.996Z", - "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.235Z", - "relationship_type": "mitigates", - "description": "Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls. Implement strict IAM controls to prevent access to systems except for the applications, users, and services that require access. Implement user accounts for each individual for enforcement and non-repudiation of actions.\n", - "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--aa205915-7571-47ee-8bc6-5aa1ace86690", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:52:11.111Z", - "description": "Devices may produce alarms about restarts or shutdowns. Monitor for unexpected device restarts or shutdowns.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.080Z", - "relationship_type": "mitigates", - "description": "Execution prevention may block malicious software from accessing protected resources through the command line interface.\n", - "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", - "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--6ad39b3a-a962-457f-852c-be7fc615e22f", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Department of Homeland Security October 2009", - "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-19T21:23:00.355Z", - "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", - "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.111Z", - "relationship_type": "mitigates", - "description": "Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.091Z", - "relationship_type": "mitigates", - "description": "Minimize permissions and access for service accounts to limit the information that may be exposed or collected by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.218Z", - "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0", - "created": "2022-09-29T14:28:08.703Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-29T14:28:08.703Z", - "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown hardcoded accounts which could be used to gain unauthorized access.", - "relationship_type": "mitigates", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "DHS CISA February 2019", - "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:27:42.104Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) is able to read, write and execute code in memory on the safety controller at an arbitrary address within the devices firmware region. This allows the malware to make changes to the running firmware in memory and modify how the device operates. (Citation: DHS CISA February 2019)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--10e87e4b-a231-42e3-a011-0031f8226936", - "created": "2022-09-26T17:15:51.819Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T17:15:51.819Z", - "description": "Monitor for firmware changes which may be observable via operational alarms from devices.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--3ed98d8c-de30-499e-9a62-eae0207519f4", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.092Z", - "relationship_type": "mitigates", - "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown default accounts which could be used to gain unauthorized access.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--8b491011-322d-4e0b-8f79-449e1b2ee185", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:55:26.030Z", - "description": "Monitor newly constructed processes that assist in lateral tool transfers, such as file transfer programs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a", - "created": "2019-03-25T19:13:54.947Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Joe Slowik April 2019", - "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", - "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:32:08.109Z", - "description": "[WannaCry](https://attack.mitre.org/software/S0366) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", - "relationship_type": "uses", - "source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--3d676c1b-2650-4599-8a57-790c55f9977d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.109Z", - "relationship_type": "mitigates", - "description": "Minimize the exposure of API calls that allow the execution of code.\n", - "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", - "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--7041d8e5-3b74-402a-86b3-fd59def80632", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.135Z", - "relationship_type": "mitigates", - "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", - "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", - "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", - "external_references": [ - { - "source_name": "M. Rentschler and H. Heine", - "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", - "url": "https://ieeexplore.ieee.org/document/6505877" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:08:06.789Z", - "description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--d16e8909-d055-4174-aeb1-22c0613b2f73", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-21T13:53:55.028Z", - "description": "Disable unnecessary legacy network protocols that may be used for AiTM if applicable.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.218Z", - "relationship_type": "mitigates", - "description": "Example mitigations could include minimizing its distribution/storage or obfuscating the information (e.g., facility coverterms, codenames). In many cases this information may be necessary to support critical engineering, maintenance, or operational functions, therefore, it may not be feasible to implement.\n", - "source_ref": "course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa", - "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Department of Homeland Security October 2009", - "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-19T21:22:50.001Z", - "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", - "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b", - "created": "2022-09-27T19:06:12.301Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T19:06:12.302Z", - "description": "A manipulated I/O image requires analyzing the application program running on the PLC for specific data block writes. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", - "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2ff82993-5010-4450-89e7-341f449f3263", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.092Z", - "relationship_type": "mitigates", - "description": "Consider periodic reviews of accounts and privileges for critical and sensitive repositories.\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T12:36:26.506Z", - "modified": "2022-05-06T17:47:24.166Z", - "relationship_type": "mitigates", - "description": "Minimize the exposure of API calls that allow the execution of code.\n", - "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", - "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.089Z", - "relationship_type": "mitigates", - "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to impact data storage. (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:53:56.368Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--dadfed22-d70c-482b-9026-964396d75484", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:42:28.053Z", - "description": "Monitor for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.204Z", - "relationship_type": "mitigates", - "description": "Consider restricting access to email within critical process environments. Additionally, downloads and attachments may be disabled if email is still necessary.\n", - "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--70113c21-85f2-4232-8755-233f93864277", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T19:17:12.033Z", - "description": "Monitor processes and command-line arguments to see if critical processes are terminated or stop running. For added context on adversary procedures and background see [Service Stop](https://attack.mitre.org/techniques/T1489).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--6baa9172-04e4-416d-a009-668cda23fd5d", - "created": "2021-10-08T15:25:32.143Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-19T17:13:18.889Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) will store and execute SQL code that will extract and execute Stuxnet from the saved CAB file using xp_cmdshell with the following command: `set @s = master..xp _ cmdshell extrac32 /y +@t+ +@t+x; exec(@s);` (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--7d2db896-3051-483c-bc53-ca21832ee085", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:47:23.983Z", - "description": "Monitor network traffic for suspicious email attachments. Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Use web proxies to review content of emails including sender information, headers, and attachments for potentially malicious content.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e", - "created": "2023-03-31T17:45:09.659Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos Crashoverride 2018", - "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", - "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-04-07T17:51:39.294Z", - "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used MS-SQL access to a pivot machine, allowing code execution throughout the ICS network.(Citation: Dragos Crashoverride 2018)", - "relationship_type": "uses", - "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--591620d3-5549-49db-9080-43f86a68a590", - "created": "2021-04-13T12:08:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "DHS CISA February 2019", - "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:25:07.936Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) leverages a previously-unknown vulnerability affecting Tricon MP3008 firmware versions 10.010.4 allows an insecurely-written system call to be exploited to achieve an arbitrary 2-byte write primitive, which is then used to gain supervisor privileges. (Citation: DHS CISA February 2019)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", - "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", - "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:28:39.359Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state while using the DCS to create an unsafe state or hazard. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--10626671-941d-4a82-a835-56059058ef87", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.065Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.133Z", - "relationship_type": "mitigates", - "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--276aa6a6-e700-470a-8f72-02537ba7be9d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.128Z", - "relationship_type": "mitigates", - "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n", - "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--0491ef92-2941-4841-9fe6-2e1809788b52", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.210Z", - "relationship_type": "mitigates", - "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "description": "A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, - { - "type": "relationship", - "id": "relationship--6eaf727c-fec3-4e63-8852-eee27c44d596", - "created": "2022-09-27T15:23:19.486Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:47:06.144Z", - "description": "Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos Xenotime 2018", - "description": "Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.", - "url": "https://dragos.com/resource/xenotime/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-11-23T21:06:25.384Z", - "description": "(Citation: Dragos Xenotime 2018)", - "relationship_type": "uses", - "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "target_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.0.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.186Z", - "relationship_type": "mitigates", - "description": "When at rest, project files should be encrypted to prevent unauthorized changes. (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", - "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ade12d27-13bb-4ebf-be08-7039cf699682", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.065Z", - "relationship_type": "mitigates", - "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--be950e87-80ac-49ea-810a-553c7f72151b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.073Z", - "relationship_type": "mitigates", - "description": "Devices should authenticate all messages between master and outstation assets.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c", - "created": "2022-09-26T16:50:56.298Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:50:56.298Z", - "description": "Monitor for a loss of network communications, which may indicate a device has been shutdown or restarted. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.106Z", - "relationship_type": "mitigates", - "description": "Ensure all browsers and plugins are kept updated to help prevent the exploit phase of this technique. Use modern browsers with security features enabled.\n", - "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--83c29179-4805-403a-acf5-5151c4d2e556", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:27:02.814Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s OPC and IEC 61850 protocol modules include the ability to send stVal requests to read the status of operational variables. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c", - "created": "2022-09-27T15:34:07.320Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T15:34:07.320Z", - "description": "Monitor DLL file events, specifically creation of these binary files as well as the loading of DLLs into processes associated with remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) may be used to access a host’s GUI.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", - "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:34:32.554Z", - "description": "Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978", - "created": "2022-09-26T14:29:33.111Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:29:33.111Z", - "description": "Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374", - "created": "2022-09-26T14:35:27.430Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:35:27.430Z", - "description": "Monitor for new or unexpected connections to controllers, which could indicate an Unauthorized Command Message being sent via [Rogue Master](https://attack.mitre.org/techniques/T0848).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--3618a010-b94b-4974-b1be-7630d5c853c1", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Robert Falcone, Bryan Lee May 2016", - "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", - "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:31:19.923Z", - "description": "[OilRig](https://attack.mitre.org/groups/G0049) used spearphishing emails with malicious Microsoft Excel spreadsheet attachments. (Citation: Robert Falcone, Bryan Lee May 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f3810d69-0eff-4d62-bdf1-2870cf676bba", - "created": "2023-03-30T14:11:33.618Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T14:11:33.618Z", - "description": "Monitor for device credential changes observable in automation or management network protocols.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.222Z", - "relationship_type": "mitigates", - "description": "Devices should authenticate all messages between master and outstation assets.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--77821dbb-367e-455f-bcae-b87412e88f1b", - "created": "2022-09-26T16:56:53.939Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:56:53.940Z", - "description": "Monitor asset management systems for device configuration changes which can be used to understand expected parameter settings.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Department of Homeland Security October 2009", - "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-19T21:23:52.947Z", - "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", - "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a6479493-6154-408f-90df-9d2f3ae352d1", - "created": "2023-03-31T17:46:01.470Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos Crashoverride 2018", - "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", - "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-04-07T17:06:53.070Z", - "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used valid accounts to laterally move through VPN connections and dual-homed systems.(Citation: Dragos Crashoverride 2018)", - "relationship_type": "uses", - "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.071Z", - "relationship_type": "mitigates", - "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", - "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141", - "created": "2023-03-31T18:12:35.414Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "ESET Industroyer", - "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - }, - { - "source_name": "Dragos Crashoverride 2018", - "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", - "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-04-07T17:07:29.299Z", - "description": "Within the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Industroyer](https://attack.mitre.org/software/S0604) was used to target and disrupt the Ukrainian power grid substation components.(Citation: Dragos Crashoverride 2018)(Citation: ESET Industroyer)", - "relationship_type": "uses", - "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", - "target_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--1c3d966a-5995-48ed-919d-25b972010fe9", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.180Z", - "relationship_type": "mitigates", - "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "external_references": [ - { - "source_name": "IEC February 2019", - "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", - "url": "https://webstore.iec.ch/publication/34421" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5", - "created": "2022-09-27T16:38:57.931Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T16:38:57.931Z", - "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--206cc4c8-797e-427b-86f1-4c81df391c6e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.224Z", - "relationship_type": "mitigates", - "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "external_references": [ - { - "source_name": "Karen Scarfone; Paul Hoffman September 2009", - "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", - "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" - }, - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - }, - { - "source_name": "Dwight Anderson 2014", - "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", - "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.177Z", - "relationship_type": "mitigates", - "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--c22acaab-baa4-45b0-9c4b-9330715e5455", - "created": "2022-10-13T21:18:17.775Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Pinellas County Sheriffs Office February 2021", - "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", - "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-18T13:26:03.133Z", - "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors utilized an operator HMI to manipulate process control setpoint values far beyond normal operating levels.(Citation: Pinellas County Sheriffs Office February 2021)", - "relationship_type": "uses", - "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", - "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--70a9010c-6943-4274-b854-50901c3e5a0e", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:23:29.885Z", - "description": "Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "ACSC Email Spoofing", - "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.", - "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" - }, - { - "source_name": "Microsoft Anti Spoofing", - "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.", - "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:48:02.425Z", - "description": "Monitor mail server and proxy logs for evidence of messages originating from spoofed addresses, including records indicating failed DKIM+SPF validation or mismatched message headers.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.072Z", - "relationship_type": "mitigates", - "description": "Ensure devices have an alternative method for communicating in the event that a valid COM port is unavailable.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--df95c619-33ee-4484-934a-78857717323e", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T19:18:47.783Z", - "description": "Monitor for unusual logins to Internet connected devices or unexpected protocols to/from the Internet. Network traffic content will provide valuable context and details about the content of network flows.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.156Z", - "relationship_type": "mitigates", - "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "external_references": [ - { - "source_name": "IEC February 2019", - "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", - "url": "https://webstore.iec.ch/publication/34421" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:51:47.079Z", - "description": "Monitor ICS automation protocols for functions that restart or shutdown a device. Commands to restart or shutdown devices may also be observable in traditional IT management protocols.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T19:18:27.480Z", - "description": "Monitor for unexpected protocols to/from the Internet. While network traffic content and logon session metadata may directly identify a login event, new Internet-based network flows may also be a reliable indicator of this technique.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.201Z", - "relationship_type": "mitigates", - "description": "Execution prevention may prevent malicious scripts from accessing protected resources.\n", - "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--2c641542-2e18-4943-849a-7141b7da4fcd", - "created": "2022-09-20T20:54:36.422Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Pinellas County Sheriffs Office February 2021", - "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", - "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-18T13:25:27.955Z", - "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors raised the sodium hydroxide setpoint value from 100 part-per-million (ppm) to 11,100 ppm, far beyond normal operating levels.(Citation: Pinellas County Sheriffs Office February 2021)", - "relationship_type": "uses", - "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--39963a04-9675-4fa4-87ea-1b34145cc569", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Elastic - Koadiac Detection with EQL", - "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.", - "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:51:44.656Z", - "description": "Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe , especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--7dedeb73-ef90-4282-a635-cc37326773af", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.083Z", - "relationship_type": "mitigates", - "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", - "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", - "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", - "external_references": [ - { - "source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", - "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", - "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--ea218d63-d9de-4f63-804a-cb039d804025", - "created": "2022-09-20T20:54:08.046Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Pinellas County Sheriffs Office February 2021", - "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", - "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-18T13:26:30.893Z", - "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors gained access to the system through remote access software, allowing for the use of the standard operator HMI interface.(Citation: Pinellas County Sheriffs Office February 2021)", - "relationship_type": "uses", - "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--e323dee4-a896-4a82-85f5-d51d311b0437", - "created": "2021-04-12T18:49:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Max Heinemeyer February 2020", - "description": "Max Heinemeyer 2020, February 21 Post-mortem of a targeted Sodinokibi ransomware attack Retrieved. 2021/04/12 ", - "url": "https://www.darktrace.com/en/blog/post-mortem-of-a-targeted-sodinokibi-ransomware-attack/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:06:56.076Z", - "description": "[REvil](https://attack.mitre.org/software/S0496) uses the SMB protocol to encrypt files located on remotely connected file shares. (Citation: Max Heinemeyer February 2020)", - "relationship_type": "uses", - "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--42508a8e-44d5-4af1-9e66-bace5fc94734", - "created": "2022-09-27T18:49:25.089Z", - "revoked": false, - "external_references": [ - { - "source_name": "University of Birmingham C2", - "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", - "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T18:49:25.089Z", - "description": "Monitor for mismatches between protocols and their expected ports (e.g., non-HTTP traffic on tcp:80). Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--87c8ab74-576d-4962-b641-0762d374d1e8", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:49:35.368Z", - "description": "The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. While the vulnerability does not directly cause the restart or shutdown of the device, the device must be restarted manually before it can resume operations. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.182Z", - "relationship_type": "mitigates", - "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--66f79019-d52c-46a6-b605-c2335d1d3d20", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:25:59.238Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) has the capability to stop a service itself, or to login as a user and stop a service as that user. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5d33de22-35b0-47fa-bc63-f984522340b7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.068Z", - "relationship_type": "mitigates", - "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", - "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1", - "created": "2023-03-10T20:10:23.377Z", - "revoked": false, - "external_references": [ - { - "source_name": "Marshall Abrams July 2008", - "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", - "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-10T20:10:23.377Z", - "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary falsified network addresses in order to send false data and instructions to pumping stations.(Citation: Marshall Abrams July 2008)", - "relationship_type": "uses", - "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--43bdf580-b98f-49cf-92d5-3dac50450c86", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.214Z", - "relationship_type": "mitigates", - "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", - "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:40:41.495Z", - "description": "Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.114Z", - "relationship_type": "mitigates", - "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", - "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", - "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", - "external_references": [ - { - "source_name": "Dan Goodin March 2017", - "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", - "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e", - "created": "2022-09-27T15:48:55.986Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T15:48:55.986Z", - "description": "Monitor device alarms that indicate controller task parameters have changed, although not all devices produce such alarms.\n \n[Program Download](https://attack.mitre.org/techniques/T0843) may be used to enable this technique. Monitor for program downloads which may be noticeable via operational alarms. Asset management systems should be consulted to understand expected program versions.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Chris Bing May 2018", - "description": "Chris Bing 2018, May 24 Trisis masterminds have expanded operations to target U.S. industrial firms Retrieved. 2020/01/03 ", - "url": "https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:07:07.445Z", - "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) utilizes watering hole websites to target industrial employees. (Citation: Chris Bing May 2018)", - "relationship_type": "uses", - "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "ESET Research Whitepapers September 2018", - "description": "ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" - }, - { - "source_name": "Intel", - "description": "Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ", - "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf" - }, - { - "source_name": "N/A", - "description": "N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ", - "url": "https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-21T13:20:11.016Z", - "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd", - "created": "2021-10-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-19T17:31:56.055Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects DLL's associated with the WinCC Simatic manager which are responsible for opening project files. If a user opens an uninfected project file using a compromised manager, the file will be infected with Stuxnet code. If an infected project is opened with the Simatic manager, the modified data file will trigger a search for the `xyz.dll` file. If the `xyz.dll` file is not found in any of the specified locations, the malicious DLL will be loaded and executed by the manager. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4", - "created": "2022-05-11T16:22:58.808Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:45:39.703Z", - "description": "Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:23:18.048Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Eduard Kovacs May 2018", - "description": "Eduard Kovacs 2018, May 10 'Allanite' Group Targets ICS Networks at Electric Utilities in US, UK Retrieved. 2020/01/03 ", - "url": "https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T15:40:42.440Z", - "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) leverages watering hole attacks to gain access into electric utilities. (Citation: Eduard Kovacs May 2018)", - "relationship_type": "uses", - "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:36:33.957Z", - "description": "Monitor network traffic for anomalies associated with known AiTM behavior. For Collection activity where transmitted data is not manipulated, anomalies may be present in network management protocols (e.g., ARP, DHCP).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b2d4989c-e2d1-40c4-b1d8-07834a71f26f", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T20:08:31.892Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) developed and used malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.072Z", - "relationship_type": "mitigates", - "description": "Restrict unauthorized devices from accessing serial comm ports.\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--6157408d-1eb3-4445-8d8a-14619458954f", - "created": "2022-09-27T15:26:40.297Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T15:26:40.297Z", - "description": "Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) may be helpful in identifying transient assets.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:53:25.280Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of control. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T17:07:03.003Z", - "description": "Program uploads may be observable in ICS management protocols or file transfer protocols. Note when protocol functions related to program uploads occur. In cases where the ICS protocols is not well understood, one option is to examine network traffic for the program files themselves using signature-based tools.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.228Z", - "relationship_type": "mitigates", - "description": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.\n", - "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--7912946d-1605-465a-a55c-36bb104235ab", - "created": "2022-09-27T16:08:53.157Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T16:08:53.157Z", - "description": "Monitor device alarms that indicate the program has changed, although not all devices produce such alarms.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a78e727c-8e42-448c-beb4-463804e18be0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.123Z", - "relationship_type": "mitigates", - "description": "Minimize permissions and access for service accounts to limit impact of exploitation. (Citation: Keith Stouffer May 2015)\n", - "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:10:18.233Z", - "description": "Some asset application logs may provide information on I/O points related to write commands. Monitor for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--433539bf-cb17-4de1-9c0f-e579b041514f", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos Inc. June 2017", - "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", - "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:16:26.262Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) attempts to connect with a hardcoded internal proxy on TCP 3128 [default Squid proxy]. If established, the backdoor attempts to reach an external C2 server via the internal proxy. (Citation: Dragos Inc. June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b", - "created": "2023-03-30T19:24:38.022Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Industroyer2 Mandiant April 2022", - "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", - "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-31T16:17:58.795Z", - "description": "[Industroyer2](https://attack.mitre.org/software/S1072) has the capability to terminate specified processes (i.e., PServiceControl.exe and PService_PDD.exe) and rename each process to prevent restart. These are defined through a hardcoded configuration.(Citation: Industroyer2 Mandiant April 2022)", - "relationship_type": "uses", - "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.145Z", - "relationship_type": "mitigates", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--8da928a0-1c87-471f-aad7-5a1fdd438357", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:44:43.674Z", - "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash, which may be recorded in the application log.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--9e0810a5-ad02-487f-b0a8-bf07decca493", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:07:52.455Z", - "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.125Z", - "relationship_type": "mitigates", - "description": "Consider removal of remote services which are not regularly in use, or only enabling them when required (e.g., vendor remote access). Ensure all external remote access point (e.g., jump boxes, VPN concentrator) are configured with least functionality, especially the removal of unnecessary services. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348", - "created": "2022-09-28T21:18:55.279Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "CISA-AA22-103A", - "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T15:17:21.181Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can send custom Modbus commands to write register values on Schneider PLCs.(Citation: CISA-AA22-103A) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can send write tag values on OPC UA servers.(Citation: CISA-AA22-103A) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--80a69b56-337d-446a-8167-8b9f63083c4f", - "created": "2022-09-28T21:24:21.810Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "CISA-AA22-103A", - "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" - }, - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.442Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) includes a library that creates Modbus connections with a device to request its device ID.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.175Z", - "relationship_type": "mitigates", - "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca", - "created": "2022-09-27T15:42:39.964Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:43:48.288Z", - "description": "Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", - "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.168Z", - "relationship_type": "mitigates", - "description": "Use multi-factor authentication wherever possible.\n", - "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.138Z", - "relationship_type": "mitigates", - "description": "Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n", - "source_ref": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", - "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", - "external_references": [ - { - "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", - "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", - "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--058396ca-3af4-444b-b261-74485c47e68c", - "created": "2017-05-31T21:33:27.074Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Joe Slowik April 2019", - "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", - "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:30:17.124Z", - "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", - "relationship_type": "uses", - "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--949b498c-ca3f-4704-90bd-a22a4d34067f", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:37:55.042Z", - "description": "Monitor for loss of operational process data which could indicate alarms are being suppressed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", - "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--31897c41-1d47-4a34-b531-21c3f74651a8", - "created": "2021-04-13T11:15:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", - "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", - "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:00:39.796Z", - "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) utilizes the PLC communication and management API to load executable Program Organization Units. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", - "relationship_type": "uses", - "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--321fc522-bc6b-4975-bee4-9098624d1e8c", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:32:18.815Z", - "description": "Monitor for network traffic originating from unknown/unexpected devices or addresses. Local network traffic metadata could be used to identify unexpected connections, including unknown/unexpected source MAC addresses connecting to ports associated with operational protocols. Also, network management protocols such as DHCP and ARP may be helpful in identifying unexpected devices. ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--59c65014-1fee-4c2e-9ece-9883159bbed2", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T19:16:20.286Z", - "description": "Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting. For added context on adversary procedures and background see [Service Stop](https://attack.mitre.org/techniques/T1489).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be", - "created": "2021-04-13T11:15:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", - "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", - "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:02:30.876Z", - "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) stops the execution of the user program on the target to enable the transfer of its own code. The worm then copies itself to the target and subsequently starts the target PLC again. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", - "relationship_type": "uses", - "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.232Z", - "relationship_type": "mitigates", - "description": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining access to valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.\n", - "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--15a39e3b-124e-4e68-95b5-7b8020225c12", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:30:27.289Z", - "description": "Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.082Z", - "relationship_type": "mitigates", - "description": "Configure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment.\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--81add433-49d8-43ec-85d5-f48fe80e56e7", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:44:21.000Z", - "description": "Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", - "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--6ed07095-c23a-4676-807f-a544deaeb274", - "created": "2021-04-12T18:49:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "McAfee Labs October 2019", - "description": "McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ", - "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us" - }, - { - "source_name": "SecureWorks September 2019", - "description": "SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ", - "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:05:35.788Z", - "description": "[REvil](https://attack.mitre.org/software/S0496) sends exfiltrated data from the victims system using HTTPS POST messages sent to the C2 system. (Citation: McAfee Labs October 2019) (Citation: SecureWorks September 2019)", - "relationship_type": "uses", - "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b7f23af2-e948-4531-af56-1a1b4d03702f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.172Z", - "relationship_type": "mitigates", - "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--3478c49c-594b-4224-b7f9-2b0b09c67288", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.239Z", - "relationship_type": "mitigates", - "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications. (Citation: Bastille April 2017)\n", - "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", - "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", - "external_references": [ - { - "source_name": "Bastille April 2017", - "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", - "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--309e4558-e591-4d03-9bb9-07d30acf011f", - "created": "2021-04-12T18:49:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "McAfee Labs October 2019", - "description": "McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ", - "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:04:11.691Z", - "description": "[REvil](https://attack.mitre.org/software/S0496) searches for all processes listed in the prc field within its configuration file and then terminates each process. (Citation: McAfee Labs October 2019)", - "relationship_type": "uses", - "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:12:43.166Z", - "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if messages over serial COM ports are blocked.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--6681bc38-0b55-4714-b690-c609956b40bf", - "created": "2022-09-28T20:27:33.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "CISA-AA22-103A", - "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" - }, - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.438Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can brute force password-based authentication to Schneider PLCs over the CODESYS protocol (UDP port 1740).(Citation: CISA-AA22-103A)\n\n [INCONTROLLER](https://attack.mitre.org/software/S1045) can perform brute force guessing of passwords to OPC UA servers using a predefined list of passwords.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3", - "created": "2023-03-30T18:59:30.677Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T18:59:30.677Z", - "description": "Develop and publish policies that define acceptable information to be stored on local systems.", - "relationship_type": "mitigates", - "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", - "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f130282b-f681-455f-966b-55829842be92", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Langer Stuxnet", - "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.", - "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-17T16:00:06.894Z", - "description": "One of [Stuxnet](https://attack.mitre.org/software/S0603)'s rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnets own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnets PLC code is not discovered or damaged. (Citation: Langer Stuxnet)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--efb80069-e4be-4055-bd34-06d1376b4601", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.109Z", - "relationship_type": "mitigates", - "description": "Access Management technologies can be used to enforce authorization policies and decisions, especially when existing field devices do not provide capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", - "external_references": [ - { - "source_name": "McCarthy, J et al. July 2018", - "description": "McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ", - "url": "https://doi.org/10.6028/NIST.SP.1800-2" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-31T20:13:05.134Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a", - "created": "2023-03-30T14:08:23.251Z", - "revoked": false, - "external_references": [ - { - "source_name": "CISA June 2013", - "description": "CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T14:08:23.251Z", - "description": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.(Citation: CISA June 2013)", - "relationship_type": "mitigates", - "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", - "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.109Z", - "relationship_type": "mitigates", - "description": "Application isolation will limit the other processes and system features an exploited target can access. Examples of built in features are software restriction policies, AppLocker for Windows, and SELinux or AppArmor for Linux.\n", - "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.092Z", - "relationship_type": "mitigates", - "description": "Review vendor documents and security alerts for potentially unknown or overlooked default credentials within existing devices\n", - "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", - "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a", - "created": "2021-04-13T12:45:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:12:08.899Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) calls system function blocks which are part of the operating system running on the PLC. Theyre used to execute system tasks, such as reading the system clock (SFC1) and generating data blocks on the fly. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:00:56.539Z", - "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", - "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", - "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:01:00.053Z", - "description": "The execution on the PLC can be stopped by violating the cycle time limit. The [PLC-Blaster](https://attack.mitre.org/software/S1006) implements an endless loop triggering an error condition within the PLC with the impact of a DoS. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", - "relationship_type": "uses", - "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", - "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--67e11f38-9f68-4989-8de3-da65af52063e", - "created": "2023-03-30T19:24:54.896Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Industroyer2 ESET April 2022", - "description": "ESET. (2022, April 12). Industroyer2: Industroyer reloaded. Retrieved March 30, 2023.", - "url": "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/" - }, - { - "source_name": "Industroyer2 Forescout July 2022", - "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", - "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-04-06T22:10:14.646Z", - "description": "[Industroyer2](https://attack.mitre.org/software/S1072) has the capability to poll a target device about its connection status, data transfer status, Common Address (CA), Information Object Addresses (IOAs), and IO state values across multiple priority levels.(Citation: Industroyer2 Forescout July 2022)(Citation: Industroyer2 ESET April 2022)", - "relationship_type": "uses", - "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-10T14:13:17.429Z", - "modified": "2022-05-06T17:47:24.188Z", - "relationship_type": "mitigates", - "description": "Enforce strong password requirements to prevent password brute force methods for lateral movement.\n", - "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--8f0fa80a-7f8c-4c54-9277-a6f69bafd6af", - "created": "2023-03-30T19:04:30.392Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T19:04:30.392Z", - "description": "Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data. ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", - "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ab0b5170-577b-491e-8508-b9a34dc393c1", - "created": "2022-09-27T16:22:57.470Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T16:22:57.470Z", - "description": "Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs. Data from these platforms can be used to identify modified controller programs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", - "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794", - "created": "2023-03-30T14:08:42.386Z", - "revoked": false, - "external_references": [ - { - "source_name": "M. Rentschler and H. Heine", - "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", - "url": "https://ieeexplore.ieee.org/document/6505877" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T14:08:42.386Z", - "description": "Retain cold-standby or replacement hardware of similar models to ensure continued operations of critical functions if the primary system is compromised or unavailable. (Citation: M. Rentschler and H. Heine)", - "relationship_type": "mitigates", - "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", - "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7", - "created": "2022-09-27T15:30:18.604Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T15:30:18.604Z", - "description": "Monitor logs from installed applications (e.g., historian logs) for unexpected commands or abuse of system features.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2", - "created": "2022-09-26T15:37:30.958Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:37:30.958Z", - "description": "Monitor for loss of network traffic which could indicate alarms are being suppressed. A loss of expected communications associated with network protocols used to communicate alarm events or process data could indicate this technique is being used. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--eeeff03f-7436-4f76-8591-42075e6647d4", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.076Z", - "relationship_type": "mitigates", - "description": "All field controllers should restrict operating mode changes to only required authenticated users (e.g., engineers, field technicians), preferably through implementing a role-based access mechanism. Further, physical mechanisms (e.g., keys) can also be used to limit unauthorized operating mode changes.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca", - "created": "2021-04-13T11:15:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", - "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", - "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:02:12.812Z", - "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) copies itself to various Program Organization Units (POU) on the target device. The POUs include the Data Block, Function, and Function Block. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", - "relationship_type": "uses", - "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", - "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T18:41:09.265Z", - "description": "Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--220140ac-d927-4d86-9335-c04aa6ee3c61", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.126Z", - "relationship_type": "mitigates", - "description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Consider a jump server or host into the DMZ for greater access control. Leverage this DMZ or corporate resources for vendor access. (Citation: Keith Stouffer May 2015)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T18:40:55.168Z", - "description": "Monitor for application logging, messaging, and/or other artifacts that may result from Denial of Service (DoS) attacks which degrade or block the availability of services to users. In addition to network level detections, endpoint logging and instrumentation can be useful for detection.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--502a0b7e-048a-468a-b888-e91fde47c6eb", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-12T18:59:17.429Z", - "modified": "2022-05-06T17:47:24.189Z", - "relationship_type": "mitigates", - "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "external_references": [ - { - "source_name": "North America Transmission Forum December 2019", - "description": "North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ", - "url": "https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5f03ee5d-534c-454c-aae3-b41130b00286", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T12:08:26.506Z", - "modified": "2022-05-06T17:47:24.117Z", - "relationship_type": "mitigates", - "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", - "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", - "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", - "external_references": [ - { - "source_name": "Dan Goodin March 2017", - "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", - "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:01:39.537Z", - "description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693", - "type": "relationship", - "created": "2022-03-09T23:42:34.056Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "Secureworks IRON VIKING ", - "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", - "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." - } - ], - "modified": "2022-03-09T23:42:34.056Z", - "description": "(Citation: Secureworks IRON VIKING )", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--50b3247a-ea71-455e-b299-f00666c05146", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:12:35.411Z", - "description": "In states 3 and 4 [Stuxnet](https://attack.mitre.org/software/S0603) sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives. For example one of the frames contains records that change the maximum frequency (the speed at which the motor will operate). The frequency converter drives consist of parameters, which can be remotely configured via Profibus. One can write new values to these parameters changing the behavior of the device. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:49:59.817Z", - "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--3b6567a9-6213-4db4-a069-1a86b1098b63", - "created": "2021-04-13T12:08:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Microsoft Security Response Center August 2017", - "description": "Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ", - "url": "https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/" - }, - { - "source_name": "Wikipedia", - "description": "Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ", - "url": "https://en.wikipedia.org/wiki/Control-flow_integrity" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-21T13:18:50.929Z", - "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", - "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.091Z", - "relationship_type": "mitigates", - "description": "Develop and publish policies that define acceptable information to be stored in repositories.\n", - "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5", - "created": "2023-03-10T20:35:16.772Z", - "revoked": false, - "external_references": [ - { - "source_name": "Marshall Abrams July 2008", - "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", - "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-10T20:35:16.772Z", - "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)", - "relationship_type": "uses", - "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.239Z", - "relationship_type": "mitigates", - "description": "Techniques can include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n", - "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", - "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", - "external_references": [ - { - "source_name": "DHS National Urban Security Technology Laboratory April 2019", - "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", - "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Jeff Jones May 2018", - "description": "Jeff Jones 2018, May 10 Dragos Releases Details on Suspected Russian Infrastructure Hacking Team ALLANITE Retrieved. 2020/01/03 ", - "url": "https://www.eisac.com/public-news-detail?id=115909" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T15:40:28.784Z", - "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) utilized spear phishing to gain access into energy sector environments. (Citation: Jeff Jones May 2018)", - "relationship_type": "uses", - "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos Inc. June 2017", - "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", - "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:55:26.032Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files. (Citation: Dragos Inc. June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.086Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d", - "created": "2021-04-12T18:49:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "SecureWorks September 2019", - "description": "SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ", - "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" - }, - { - "source_name": "Tom Fakterman August 2019", - "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", - "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:06:28.859Z", - "description": "[REvil](https://attack.mitre.org/software/S0496) sends HTTPS POST messages with randomly generated URLs to communicate with a remote server. (Citation: Tom Fakterman August 2019) (Citation: SecureWorks September 2019)", - "relationship_type": "uses", - "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--d4968f45-d06b-4843-8f72-6e08beb94cab", - "type": "relationship", - "created": "2017-05-31T21:33:27.070Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "Symantec Dragonfly", - "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", - "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" - }, - { - "source_name": "Gigamon Berserk Bear October 2021", - "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", - "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021." - } - ], - "modified": "2021-12-07T18:39:07.922Z", - "description": "(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)", - "relationship_type": "uses", - "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "type": "relationship", "id": "relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91", @@ -13107,77 +8740,27 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.071Z", - "relationship_type": "mitigates", - "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361", + "created": "2023-09-29T17:40:34.866Z", "revoked": false, - "external_references": [ - { - "source_name": "Booz Allen Hamilton", - "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", - "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T17:35:50.632Z", - "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence. (Citation: Booz Allen Hamilton)\n", - "relationship_type": "uses", - "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "modified": "2023-09-29T17:40:34.866Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", - "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", - "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:01:18.283Z", - "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", - "relationship_type": "uses", - "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693", + "id": "relationship--042243fd-bfe0-4961-96de-a36232d3ff74", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -13191,118 +8774,11 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T16:12:48.097Z", - "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) trojanized legitimate ICS equipment providers software packages available for download on their websites.(Citation: Symantec Security Response July 2014)", + "modified": "2022-10-12T16:04:03.547Z", + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) or [Trojan.Karagany](https://attack.mitre.org/software/S0094). (Citation: Symantec Security Response July 2014)", "relationship_type": "uses", "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos", - "description": "Dragos Allanite Retrieved. 2019/10/27 ", - "url": "https://dragos.com/resource/allanite/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T15:40:08.649Z", - "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) utilized credentials collected through phishing and watering hole attacks. (Citation: Dragos)", - "relationship_type": "uses", - "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T19:12:25.664Z", - "description": "Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702", - "created": "2023-03-22T15:52:30.607Z", - "revoked": false, - "external_references": [ - { - "source_name": "PLCTop20 Mar 2023", - "description": "PLC Security, Top 20 Community. (2021, June 15). Secure PLC Coding Practices: Top 20 version 1.0. Retrieved March 22, 2023.", - "url": "https://plc-security.com/content/Top_20_Secure_PLC_Coding_Practices_V1.0.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-22T15:52:30.607Z", - "description": "Devices and programs should validate the content of any remote parameter changes, including those from HMIs, control servers, or engineering workstations.(Citation: PLCTop20 Mar 2023)", - "relationship_type": "mitigates", - "source_ref": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--63323b12-86db-4b91-a701-90daf3f98f7c", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.122Z", - "relationship_type": "mitigates", - "description": "Segment networks and systems appropriately to reduce access to critical system and services communications.\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--00b98fa6-4913-40a4-8920-befed8621c41", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:15:33.180Z", - "description": "Monitor ICS asset application logs that indicate alarm settings have changed, although not all assets will produce such logs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -13313,30 +8789,13 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--0df0cb6d-0067-48b2-a33e-495415713ab7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.181Z", - "relationship_type": "mitigates", - "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c", + "id": "relationship--04882fef-2a6b-40d0-a101-da9c76a3572e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.128Z", "relationship_type": "mitigates", - "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "description": "Restrict the use of untrusted or unknown libraries, such as remote or unknown DLLs.\n", + "source_ref": "course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3", "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -13347,80 +8806,58 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--8fcecf74-36df-41ab-9476-539c9ac0b339", + "id": "relationship--0491ef92-2941-4841-9fe6-2e1809788b52", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.179Z", + "modified": "2022-05-06T17:47:24.210Z", "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.150Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.068Z", - "relationship_type": "mitigates", - "description": "Provide an alternative method for alarms to be reported in the event of a communication failure.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863", + "created": "2023-09-28T20:29:11.776Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T19:38:23.604Z", - "description": "Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "modified": "2023-09-28T20:29:11.776Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--04bf72de-75ba-4d95-ad24-f93ad835180c", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:54:26.520Z", + "description": "[KillDisk](https://attack.mitre.org/software/S0607) erases the master boot record (MBR) and system logs, leaving the system unusable. (Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -13431,25 +8868,668 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b", + "id": "relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.166Z", + "modified": "2022-05-06T17:47:24.218Z", "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], + "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, + { + "type": "relationship", + "id": "relationship--052552e9-eac0-4b37-9df8-2e921053e305", + "created": "2023-03-30T19:05:17.003Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:05:17.003Z", + "description": "Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (e.g., .pdf, .docx, .jpg, .dwg ) or local databases.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--058396ca-3af4-444b-b261-74485c47e68c", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:30:17.124Z", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--064dfd6f-db5d-48e8-b350-9dd47a270911", + "created": "2022-09-28T20:22:09.916Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:16:59.156Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely read the OCP UA structure from devices.(Citation: CISA-AA22-103A) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--06782c99-93de-4db9-9c30-6f96aef894d2", + "created": "2023-03-30T19:06:49.501Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:06:49.501Z", + "description": "Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--067932c3-0011-4ca2-9bbe-721c631e4e41", + "created": "2021-04-13T12:45:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + }, + { + "source_name": "ICS-CERT August 2018", + "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", + "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:19:04.571Z", + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.183Z", + "relationship_type": "mitigates", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--06f15629-d050-434a-aed1-3bb3f90c97b2", + "created": "2022-09-27T15:22:37.864Z", + "revoked": false, + "external_references": [ + { + "source_name": "Elastic - Koadiac Detection with EQL", + "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.", + "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:22:37.864Z", + "description": "Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.(Citation: Elastic - Koadiac Detection with EQL) For added context on adversary procedures and background see [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:12:43.166Z", + "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if messages over serial COM ports are blocked.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e", + "created": "2023-09-28T21:28:51.104Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:28:51.104Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--076bfea6-309e-4804-a147-dffe93983481", + "created": "2023-09-28T20:16:17.295Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:16:17.295Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--07c0e166-f05e-413f-8f3e-f487317c9626", + "created": "2023-03-22T15:53:59.953Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-22T15:53:59.953Z", + "description": "Devices and programs that receive command messages from remote systems (e.g., control servers) should verify those commands before taking any actions on them.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--07e06d21-e666-4274-838a-ef9996fdc0cd", + "created": "2023-09-28T20:05:45.540Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:05:45.540Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44", + "created": "2023-09-29T16:47:20.192Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:47:20.192Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--07f4d65d-4572-450f-8cb2-908fee97bd67", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.228Z", + "relationship_type": "mitigates", + "description": "Application control may be able to prevent the running of executables masquerading as other files.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--08302021-aacf-428f-a0ce-e1034d925fb0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.115Z", + "relationship_type": "mitigates", + "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", + "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--088580e9-ccea-426e-9411-c1de60de650d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.206Z", + "relationship_type": "mitigates", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:57:47.375Z", + "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0951222a-42d1-4635-bb12-5285bc6500e0", + "created": "2023-09-28T20:15:45.244Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:15:45.244Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--095456bc-898b-4c76-a062-ff0ea90aeab4", + "created": "2023-09-28T21:25:05.393Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:25:05.393Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--096c3136-dac9-4729-98c0-c8d870f2bd13", + "created": "2023-09-28T19:42:01.055Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:42:01.055Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--09977105-562f-4f45-a151-27a11a18031e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.164Z", + "relationship_type": "mitigates", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--09e0c991-1707-431b-a0fd-fd8215e6d552", + "created": "2023-09-28T20:30:12.291Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:30:12.291Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6", + "created": "2023-09-28T19:53:56.266Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:53:56.266Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:41:46.146Z", + "description": "Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0a421699-f013-49f4-9d9f-01d95d210510", + "created": "2023-09-28T19:37:25.214Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:37:25.214Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a", + "created": "2023-09-29T17:38:04.048Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:38:04.048Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:29:20.151Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91", + "created": "2023-10-02T20:23:11.865Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:23:11.865Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42", + "created": "2023-09-28T19:59:10.561Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:59:10.561Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f", + "created": "2023-09-28T21:22:48.239Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:22:48.239Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0b7f643e-8975-4998-acbb-7405fa944a68", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:54:38.303Z", + "description": "Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Also monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b", + "created": "2023-09-29T18:46:22.739Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:46:22.739Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016", + "created": "2023-09-28T20:10:34.479Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:10:34.479Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "type": "relationship", "id": "relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae", @@ -13483,3764 +9563,30 @@ }, { "type": "relationship", - "id": "relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4", - "created": "2018-04-18T17:59:24.739Z", + "id": "relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444", + "created": "2017-05-31T21:33:27.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Jos Wetzels January 2018", - "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", - "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", + "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ", + "url": "https://securelist.com/bad-rabbit-ransomware/82851/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T18:24:51.471Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics. (Citation: Jos Wetzels January 2018)", + "modified": "2022-10-12T17:30:30.761Z", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)", "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--37abb3d5-24fc-4397-844e-07548d324729", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:32:20.552Z", - "description": "Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--97538255-b049-4d15-91c4-6b227cbea476", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:16:09.542Z", - "description": "Data about the industrial process may indicate it is operating outside of expected bounds and could help indicate that that an alarm setting has changed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.152Z", - "relationship_type": "mitigates", - "description": "Limit privileges of user accounts and groups so that only designated administrators or engineers can interact with alarm management and alarm configuration thresholds.\n", - "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16", - "type": "relationship", - "created": "2020-06-10T18:36:54.638Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "NCSC Sandworm Feb 2020", - "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory", - "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020." - }, - { - "source_name": "US District Court Indictment GRU Unit 74455 October 2020", - "url": "https://www.justice.gov/opa/press-release/file/1328521/download", - "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." - }, - { - "source_name": "UK NCSC Olympic Attacks October 2020", - "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", - "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020." - }, - { - "source_name": "Secureworks IRON VIKING ", - "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", - "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." - }, - { - "source_name": "Trend Micro Cyclops Blink March 2022", - "url": "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", - "description": "Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022." - } - ], - "modified": "2022-03-17T15:07:01.055Z", - "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Secureworks IRON VIKING )(Citation: Trend Micro Cyclops Blink March 2022)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--2867f491-919b-463f-b689-bb3ceb7ae99f", - "created": "2022-09-28T20:31:07.486Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos-Pipedream", - "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", - "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" - }, - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - }, - { - "source_name": "Brubaker-Incontroller", - "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", - "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.434Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to remotely connect to Schneider PLCs and perform maintenance functions on the device.(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can use Telnet to upload payloads and execute commands on Omron PLCs.\t(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream) The malware can also use HTTP-based CGI scripts (e.g., cpu.fcgi, ecat.fcgi) to gain administrative access to the device.(Citation: Wylie-22) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2fffbea8-c031-4de8-a451-447bbbe3e224", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.201Z", - "relationship_type": "mitigates", - "description": "Consider the use of application isolation and sandboxing to restrict specific operating system interactions such as access through user accounts, services, system calls, registry, and network access. This may be even more useful in cases where the source of the executed script is unknown.\n", - "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--7c893581-c847-495a-aa93-9d98c516e1ae", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:13:43.688Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603)'s infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c", - "created": "2022-09-28T21:16:28.195Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.435Z", - "description": "The [INCONTROLLER](https://attack.mitre.org/software/S1045) PLCProxy module can add an IP route to the CODESYS gateway running on Schneider PLCs to allow it to route messages through the PLC to other devices on that network. This allows the malware to bypass firewall rules that prevent it from directly communicating with devices on the same network as the PLC.(Citation: Wylie-22)", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b", - "created": "2023-03-30T19:26:19.782Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Industroyer2 Mandiant April 2022", - "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", - "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks" - }, - { - "source_name": "Industroyer2 Forescout July 2022", - "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", - "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-04-06T22:09:28.674Z", - "description": "[Industroyer2](https://attack.mitre.org/software/S1072) can iterate across a device’s IOAs to modify the ON/OFF value of a given IO state.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)", - "relationship_type": "uses", - "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", - "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Department of Homeland Security October 2009", - "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-19T21:23:11.538Z", - "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", - "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.126Z", - "relationship_type": "mitigates", - "description": "Consider utilizing jump boxes for external remote access. Additionally, dynamic account management may be used to easily remove accounts when not in use.\n", - "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--cca191a1-3c50-4d4f-8f79-4247e58af610", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.146Z", - "relationship_type": "mitigates", - "description": "Use tools that restrict program execution via application control by attributes other than file name for common system and application utilities.\n", - "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3", - "created": "2022-09-26T14:44:05.557Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:49:44.728Z", - "description": "Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.080Z", - "relationship_type": "mitigates", - "description": "Consider removing or restricting features that are unnecessary to an asset's intended function within the control environment.\n", - "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", - "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--81ca994a-b350-424d-8f39-a0b64aa76260", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.204Z", - "relationship_type": "mitigates", - "description": "Users can be trained to identify social engineering techniques and spearphishing emails.\n", - "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--ea50253a-3220-458b-b810-ad032f2b182f", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "DHS CISA February 2019", - "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" - }, - { - "source_name": "ICS-CERT December 2018", - "description": "ICS-CERT 2018, December 18 Advisory (ICSA-18-107-02) - Schneider Electric Triconex Tricon (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02" - }, - { - "source_name": "Schneider Electric January 2018", - "description": "Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 ", - "url": "https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s" - }, - { - "source_name": "The Office of Nuclear Reactor Regulation", - "description": "The Office of Nuclear Reactor Regulation Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 Triconex Topical Report 7286-545-1 Retrieved. 2018/05/30 ", - "url": "https://www.nrc.gov/docs/ML1209/ML120900890.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:28:54.342Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) disables a firmware RAM/ROM consistency check after injects a payload (imain.bin) into the firmware memory region. (Citation: DHS CISA February 2019) (Citation: ICS-CERT December 2018) (Citation: Schneider Electric January 2018) Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration. (Citation: The Office of Nuclear Reactor Regulation)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--1f87378c-49fb-4da5-8ed3-3672633d3713", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.123Z", - "relationship_type": "mitigates", - "description": "Regularly scan the internal network for available services to identify new and potentially vulnerable services.\n", - "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-21T16:43:45.457Z", - "description": "Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--baf4bd30-4213-43c3-b70c-54418e734caf", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.184Z", - "relationship_type": "mitigates", - "description": "Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "MDudek-ICS", - "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", - "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:27:55.358Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) calls the SafeAppendProgramMod to transfer its payloads to the Tricon. Part of this call includes preforming a program upload. (Citation: MDudek-ICS)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T11:15:26.506Z", - "modified": "2022-05-06T17:47:24.156Z", - "relationship_type": "mitigates", - "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", - "external_references": [ - { - "source_name": "IEC February 2019", - "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", - "url": "https://webstore.iec.ch/publication/34421" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:57:59.240Z", - "description": "Monitor for known proxy protocols (e.g., SOCKS, Tor, peer-to-peer protocols) and tool usage (e.g., Squid, peer-to-peer software) on the network that are not part of normal operations. Also monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ff3f0668-98df-44c1-88c2-711f05720eb8", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.060Z", - "relationship_type": "mitigates", - "description": "Restrict configurations changes and firmware updating abilities to only authorized individuals.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--86c94552-de59-453d-ac06-28a6a64db930", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:47:46.836Z", - "description": "Monitor device application logs which may contain information related to operating mode changes, although not all devices produce such logs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:52:04.484Z", - "description": "Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--17fdec71-98e8-4314-a1be-037edede58bd", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-08T22:26:48.171Z", - "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "relationship_type": "mitigates", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.184Z", - "relationship_type": "mitigates", - "description": "Allow for code signing of any project files stored at rest to prevent unauthorized tampering. Ensure the signing keys are not easily accessible on the same system.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--31203165-79d0-42e5-81f1-62150dea2c43", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:16:37.643Z", - "description": "Monitor network data for uncommon data flows (e.g., time of day, unusual source/destination address) that may be related to abuse of [Valid Accounts](https://attack.mitre.org/techniques/T0859) to log into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Booz Allen Hamilton", - "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", - "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:35:32.480Z", - "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments. (Citation: Booz Allen Hamilton)\n", - "relationship_type": "uses", - "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--fd856176-396c-4121-9754-35e49bfa5758", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:41:55.062Z", - "description": "Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5914a482-dbb7-429d-96f3-77f0588ac12d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.123Z", - "relationship_type": "mitigates", - "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", - "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--ab8e129c-5411-4784-9194-068fa915da23", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov", - "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", - "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:54:49.878Z", - "description": "[KillDisk](https://attack.mitre.org/software/S0607) deletes application, security, setup, and system event logs from Windows systems. (Citation: Anton Cherepanov)", - "relationship_type": "uses", - "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--50a2b289-7bce-405d-8515-c2b5424cce5c", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.090Z", - "relationship_type": "mitigates", - "description": "Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.072Z", - "relationship_type": "mitigates", - "description": "Implement network allowlists to minimize serial comm port access to only authorized hosts, such as comm servers and RTUs.\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--5424e327-396f-4b07-94a3-408ffc915686", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos", - "description": "Dragos Allanite Retrieved. 2019/10/27 ", - "url": "https://dragos.com/resource/allanite/" - }, - { - "source_name": "ICS-CERT October 2017", - "description": "ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23 ", - "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T15:40:18.975Z", - "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) has been identified to collect and distribute screenshots of ICS systems such as HMIs. (Citation: Dragos) (Citation: ICS-CERT October 2017)", - "relationship_type": "uses", - "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", - "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--51eb15a3-48af-470f-94c0-10f25b366d72", - "created": "2022-09-28T20:30:22.148Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos-Pipedream", - "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", - "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" - }, - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.436Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can establish a remote HTTP connection to change the operating mode of Omron PLCs.(Citation: Dragos-Pipedream)(Citation: Wylie-22) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-10-14T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.226Z", - "relationship_type": "mitigates", - "description": "Update software on control network assets when possible. If feasible, use modern operating systems and software to reduce exposure to known vulnerabilities.\n", - "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", - "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.214Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--26d68f5d-6ee5-4d98-b175-943366ccc038", - "created": "2020-10-14T21:33:27.046Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos October 2018", - "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", - "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:54:09.871Z", - "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) uses the MS-SQL server xp_cmdshell command, and PowerShell to execute commands. (Citation: Dragos October 2018)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a", - "created": "2022-09-30T15:34:29.316Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-30T15:34:29.316Z", - "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.207Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a", - "created": "2022-09-27T15:49:26.908Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T15:49:26.908Z", - "description": "Monitor asset application logs for information that indicate task parameters have changed.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b9e82422-b072-494f-99c1-fcab07b90133", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.146Z", - "relationship_type": "mitigates", - "description": "Require signed binaries.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:40:22.279Z", - "description": "Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034", - "created": "2021-04-13T11:15:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:18:37.808Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--088580e9-ccea-426e-9411-c1de60de650d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.206Z", - "relationship_type": "mitigates", - "description": "Devices should authenticate all messages between master and outstation assets.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T16:33:10.450Z", - "description": "Monitor for unexpected changes to project files, although if the malicious modification occurs in tandem with legitimate changes it will be difficult to isolate the unintended changes by analyzing only file systems modifications.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", - "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3", - "created": "2023-03-30T18:57:21.754Z", - "revoked": false, - "external_references": [ - { - "source_name": "Kevin Savage and Branko Spasojevic", - "description": "Kevin Savage and Branko Spasojevic W32.Flamer Retrieved. 2019/11/03 ", - "url": "https://web.archive.org/web/20190930124504/https://www.symantec.com/security-center/writeup/2012-052811-0308-99" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T18:57:21.754Z", - "description": "[Flame](https://attack.mitre.org/software/S0143) has built-in modules to gather information from compromised computers. (Citation: Kevin Savage and Branko Spasojevic)", - "relationship_type": "uses", - "source_ref": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.112Z", - "relationship_type": "mitigates", - "description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n", - "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "McAfee CHIPSEC Blog", - "description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.", - "url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/" - }, - { - "source_name": "MITRE Copernicus", - "description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.", - "url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about" - }, - { - "source_name": "Intel HackingTeam UEFI Rootkit", - "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017.", - "url": "http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html" - }, - { - "source_name": "Github CHIPSEC", - "description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.", - "url": "https://github.com/chipsec/chipsec" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:48:28.074Z", - "description": "Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.235Z", - "relationship_type": "mitigates", - "description": "Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--c8dd2735-bd04-4413-847d-316b77c6de19", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-08T22:23:14.457Z", - "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", - "relationship_type": "mitigates", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:57:08.952Z", - "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--892c0bff-17b6-447b-a213-6a3189a1df82", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:51:45.844Z", - "description": "Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927", - "created": "2023-03-30T14:08:06.442Z", - "revoked": false, - "external_references": [ - { - "source_name": "Department of Homeland Security October 2009", - "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T14:08:06.442Z", - "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.", - "relationship_type": "mitigates", - "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", - "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T16:42:35.018Z", - "description": "Monitor Windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal](https://attack.mitre.org/techniques/T1070) and applicable sub-techniques.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--45ee1822-71e4-4d92-976d-306561b70555", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.106Z", - "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.143Z", - "relationship_type": "mitigates", - "description": "This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n", - "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", - "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--5c695f49-6c76-4818-88b6-4db2bf029e43", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T17:38:22.073Z", - "description": "Monitor for file creation in conjunction with other techniques (e.g., file transfers using [Remote Services](https://attack.mitre.org/techniques/T0886)).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa", - "created": "2022-09-27T16:35:12.372Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:47:35.207Z", - "description": "Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.209Z", - "relationship_type": "mitigates", - "description": "When available utilize hardware and software root-of-trust to verify the authenticity of a system. This may be achieved through cryptographic means, such as digital signatures or hashes, of critical software and firmware throughout the supply chain.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--c67e3535-69a9-4234-8170-4ad6efc632b7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.211Z", - "relationship_type": "mitigates", - "description": "Implement continuous monitoring of vulnerability sources. Also, use automatic and manual code review tools. (Citation: OWASP)\n", - "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "external_references": [ - { - "source_name": "OWASP", - "description": "OWASP Top 10 Web Application Security Risks Retrieved. 2020/09/25 ", - "url": "https://owasp.org/www-project-top-ten/" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.199Z", - "relationship_type": "mitigates", - "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", - "external_references": [ - { - "source_name": "Karen Scarfone; Paul Hoffman September 2009", - "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", - "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" - }, - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - }, - { - "source_name": "Dwight Anderson 2014", - "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", - "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--21041206-da58-45c7-adb0-db07caebdcb6", - "created": "2021-04-13T12:36:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", - "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", - "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:00:27.700Z", - "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) uses the system function blocks TCON and TDISCON to initiate and destroy TCP connections to arbitrary systems. Buffers may be sent and received on these connections with TRCV und TSEND system function blocks. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", - "relationship_type": "uses", - "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", - "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.094Z", - "relationship_type": "mitigates", - "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:38:17.130Z", - "description": "Monitor for loss of expected operational process alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", - "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.233Z", - "relationship_type": "mitigates", - "description": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: CISA June 2013)\n", - "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "external_references": [ - { - "source_name": "CISA June 2013", - "description": "CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.167Z", - "relationship_type": "mitigates", - "description": "Network connection enumeration is likely obtained by using common system tools (e.g., netstat, ipconfig).\n", - "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", - "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572", - "created": "2018-04-18T17:59:24.739Z", - "x_mitre_version": "1.0", - "external_references": [ - { - "source_name": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015", - "url": "https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf", - "description": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell 2015, December 08 A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin Retrieved. 2019/04/01 " - } - ], - "x_mitre_deprecated": false, - "revoked": false, - "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network. (Citation: Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015)", - "modified": "2022-08-11T13:23:12.321Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "relationship_type": "uses", - "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--adf2072c-0341-4fc2-9d25-495b4af864e9", - "created": "2023-03-10T20:09:22.370Z", - "revoked": false, - "external_references": [ - { - "source_name": "Marshall Abrams July 2008", - "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", - "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-10T20:09:22.370Z", - "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary temporarily shut an investigator out of the network preventing them from issuing any controls.(Citation: Marshall Abrams July 2008)", - "relationship_type": "uses", - "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", - "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--86f1655a-db46-4d49-9051-6653da83eb13", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T19:13:57.066Z", - "description": "Protect files with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-21T14:34:42.612Z", - "description": "Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce AiTM conditions.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6", - "created": "2022-09-27T16:56:30.665Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:39:41.897Z", - "description": "Monitor for newly constructed scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:39:30.850Z", - "description": "Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-08T22:29:53.545Z", - "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "relationship_type": "mitigates", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--e4a11381-8608-4c71-966f-df0cbb834fe0", - "created": "2022-09-30T15:35:09.660Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:51:08.392Z", - "description": "Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see [Remote System Discovery](https://attack.mitre.org/techniques/T1018).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.126Z", - "relationship_type": "mitigates", - "description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.\n", - "source_ref": "course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--245c8c36-28e5-4508-a585-7768cb33299a", - "created": "2023-03-10T20:06:10.209Z", - "revoked": false, - "external_references": [ - { - "source_name": "Marshall Abrams July 2008", - "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", - "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-10T20:06:10.209Z", - "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the system over radio.(Citation: Marshall Abrams July 2008)", - "relationship_type": "uses", - "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.231Z", - "relationship_type": "mitigates", - "description": "Consider configuration and use of a network-wide authentication service such as Active Directory, LDAP, or RADIUS capabilities which can be found in ICS devices. (Citation: Keith Stouffer May 2015) (Citation: Schweitzer Engineering Laboratories August 2015)\n", - "source_ref": "course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "Schweitzer Engineering Laboratories August 2015", - "description": "Schweitzer Engineering Laboratories 2015, August Understanding When to Use LDAP or RADIUS for Centralized Authentication Retrieved. 2020/09/25 ", - "url": "https://cdn.selinc.com/assets/Literature/Publications/Application%20Notes/AN2015-08_20150817.pdf?" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--7e87ce08-a428-4e55-876e-80d2760121a5", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:37:35.099Z", - "description": "Monitor executed commands and arguments for actions that could be taken to collect internal data.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos", - "description": "Dragos Chrysene Retrieved. 2019/10/27 ", - "url": "https://dragos.com/resource/chrysene/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:32:49.409Z", - "description": "[OilRig](https://attack.mitre.org/groups/G0049) utilized stolen credentials to gain access to victim machines.(Citation: Dragos)", - "relationship_type": "uses", - "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "MDudek-ICS", - "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", - "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:26:26.552Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed. (Citation: MDudek-ICS)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.185Z", - "relationship_type": "mitigates", - "description": "Ensure permissions restrict project file access to only engineer and technician user groups and accounts.\n", - "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", - "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af", - "created": "2022-09-27T16:08:15.473Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T16:08:15.473Z", - "description": "Monitor device application logs that indicate the program has changed, although not all devices produce such logs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--e18af08c-3953-4b1d-b46c-45572fdb5187", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T19:02:08.013Z", - "description": "Monitor operational data for indicators of temporary data loss which may indicate a Denial of Service. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", - "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--520aad6a-2483-45bc-a172-2417137f6ca0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.143Z", - "relationship_type": "mitigates", - "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:26:20.823Z", - "description": "Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed.\n\nVarious techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f45c2df8-30e7-45d0-8067-7b2870767574", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-08T22:28:22.574Z", - "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "relationship_type": "mitigates", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a", - "created": "2019-03-25T19:13:54.947Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Joe Slowik April 2019", - "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", - "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:32:23.717Z", - "description": "[WannaCry](https://attack.mitre.org/software/S0366) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", - "relationship_type": "uses", - "source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.075Z", - "relationship_type": "mitigates", - "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", - "external_references": [ - { - "source_name": "Karen Scarfone; Paul Hoffman September 2009", - "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", - "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" - }, - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - }, - { - "source_name": "Dwight Anderson 2014", - "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", - "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41", - "created": "2022-09-26T19:30:14.122Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:15:05.195Z", - "description": "Monitor DLL file events, specifically creation of these files as well as the loading of DLLs into processes specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--641813ea-66a9-4949-848f-db83420aac39", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:56:04.784Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) issued unauthorized commands to substation breakers after gaining control of operator workstations and accessing a distribution management system (DMS) client application. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.070Z", - "relationship_type": "mitigates", - "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:59:40.539Z", - "description": "Monitor device application logs parameter changes, although not all devices will produce such logs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.175Z", - "relationship_type": "mitigates", - "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:31:22.665Z", - "description": "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--19ab6776-42de-48af-975a-568d31a3bb66", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.152Z", - "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016) (Citation: N/A)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - }, - { - "source_name": "N/A", - "description": "N/A Department of Homeland Security 2016, September Retrieved. 2020/09/25 Alarm Management for Process Control Retrieved. 2020/09/25 ", - "url": "https://www.exida.com/images/uploads/18492275-Alarm-Management-for-Process-Control.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:49:11.920Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b1768154-221c-48be-ab2b-549ec1eddafb", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.068Z", - "relationship_type": "mitigates", - "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", - "external_references": [ - { - "source_name": "Karen Scarfone; Paul Hoffman September 2009", - "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", - "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" - }, - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - }, - { - "source_name": "Dwight Anderson 2014", - "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", - "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb", - "type": "relationship", - "created": "2021-01-20T21:03:13.436Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "US District Court Indictment GRU Unit 74455 October 2020", - "url": "https://www.justice.gov/opa/press-release/file/1328521/download", - "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." - }, - { - "source_name": "Secureworks IRON VIKING ", - "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", - "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." - } - ], - "modified": "2022-02-28T17:02:50.467Z", - "description": "(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Secureworks IRON VIKING )", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--29b85313-645b-4fb1-b5c2-f580d111760b", - "created": "2022-09-26T19:38:04.844Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:36:50.910Z", - "description": "Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of \"0\" indicates LLMNR is disabled.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.132Z", - "relationship_type": "mitigates", - "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", - "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "external_references": [ - { - "source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", - "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", - "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--cfcbca89-8912-40c0-ac15-47882162b132", - "created": "2022-05-11T16:22:58.808Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T19:00:16.899Z", - "description": "Monitor application logs for new or unexpected devices or sessions on wireless networks.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--bc383819-2e40-49b4-bea9-95eb5d418877", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:15:38.341Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a thread to monitor a data block DB890 of sequence A or B. This thread is constantly running and probing this block (every 5 minutes). On an infected PLC, if block DB890 is found and contains a special magic value (used by Stuxnet to identify his own block DB890), this blocks data can be read and written. This thread is likely used to optimize the way sequences A and B work, and modify their behavior when the Step7 editor is opened. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4", - "created": "2019-06-24T17:20:24.258Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Catalin Cimpanu April 2016", - "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", - "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:39:25.984Z", - "description": "A [Conficker](https://attack.mitre.org/software/S0608) infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production. (Citation: Catalin Cimpanu April 2016)", - "relationship_type": "uses", - "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", - "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "CopyFromScreen .NET", - "description": "Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.", - "url": "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8" - }, - { - "source_name": "Antiquated Mac Malware", - "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.", - "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:38:15.307Z", - "description": "Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware) The data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", - "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.091Z", - "relationship_type": "mitigates", - "description": "Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls to prevent misuse. Implement user accounts for each individual that may access the repositories for role enforcement and non-repudiation of actions.\n", - "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Hydro", - "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", - "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" - }, - { - "source_name": "Kevin Beaumont", - "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", - "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:56:48.612Z", - "description": "Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0372) infection. This resulted in a loss of view which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)", - "relationship_type": "uses", - "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", - "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--09977105-562f-4f45-a151-27a11a18031e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.164Z", - "relationship_type": "mitigates", - "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", - "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--66d637a0-4874-4b12-bd3a-b408acb06d26", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:53:54.118Z", - "description": "Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b343e131-e448-46c6-815b-b86e4bd6d638", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos Threat Intelligence August 2019", - "description": "Dragos Threat Intelligence 2019, August Global Oil and Gas Cyber Threat Perspective Retrieved. 2020/01/03 ", - "url": "https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:06:51.429Z", - "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) targeted several ICS vendors and manufacturers. (Citation: Dragos Threat Intelligence August 2019)", - "relationship_type": "uses", - "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:42:42.363Z", - "description": "Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:56:06.055Z", - "description": "Monitor for alike file hashes or characteristics (ex: filename) that are created on multiple hosts. ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437", - "created": "2021-04-12T18:49:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Tom Fakterman August 2019", - "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", - "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:03:36.379Z", - "description": "[REvil](https://attack.mitre.org/software/S0496) initially executes when the user clicks on a JavaScript file included in the phishing emails .zip attachment. (Citation: Tom Fakterman August 2019)", - "relationship_type": "uses", - "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:37:44.970Z", - "description": "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible, to determine their actions and intent.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", - "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--81117328-e2bb-431c-a1ca-6ba7e6816637", - "created": "2022-09-26T16:25:38.511Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:25:38.511Z", - "description": "Consult asset management systems to understand expected program versions.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.208Z", - "relationship_type": "mitigates", - "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "external_references": [ - { - "source_name": "Karen Scarfone; Paul Hoffman September 2009", - "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", - "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" - }, - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - }, - { - "source_name": "Dwight Anderson 2014", - "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", - "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:59:13.486Z", - "description": "Monitor for device alarms produced when parameters are changed, although not all devices will produce such alarms.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--8f90363e-2825-4178-807f-9268a28760fa", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.195Z", - "relationship_type": "mitigates", - "description": "Enforce system policies or physical restrictions to limit hardware such as USB devices on critical assets.\n", - "source_ref": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0", - "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--06782c99-93de-4db9-9c30-6f96aef894d2", - "created": "2023-03-30T19:06:49.501Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T19:06:49.501Z", - "description": "Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.104Z", - "relationship_type": "mitigates", - "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov", - "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", - "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:55:06.661Z", - "description": "[KillDisk](https://attack.mitre.org/software/S0607) is able to delete system files to make the system unbootable and targets 35 different types of files for deletion. (Citation: Anton Cherepanov)", - "relationship_type": "uses", - "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.147Z", - "relationship_type": "mitigates", - "description": "Use file system access controls to protect system and application folders.\n", - "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-08T22:27:26.605Z", - "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "relationship_type": "mitigates", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a", - "created": "2022-09-26T14:37:45.140Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:37:45.140Z", - "description": "Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--44c857cf-7a4e-405a-87ca-7f6d79000589", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Department of Homeland Security October 2009", - "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-19T21:22:38.490Z", - "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", - "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--9db1ecfe-72eb-42da-a09e-746663a53854", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "MDudek-ICS", - "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", - "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-29T20:46:03.389Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py.(Citation: MDudek-ICS)\n\n[Triton](https://attack.mitre.org/software/S1009) contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py.(Citation: MDudek-ICS)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Atlassian Confluence Logging", - "description": "Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.", - "url": "https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html" - }, - { - "source_name": "Microsoft SharePoint Logging", - "description": "Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.", - "url": "https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2" - }, - { - "source_name": "Sharepoint Sharing Events", - "description": "Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021.", - "url": "https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T19:13:08.567Z", - "description": "Monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents.(Citation: Microsoft SharePoint Logging) Sharepoint audit logging can also be configured to report when a user shares a resource.(Citation: Sharepoint Sharing Events) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter.(Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a731ad54-0c3c-47bb-9559-d99950782beb", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T19:22:39.784Z", - "description": "Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). For added context on adversary procedures and background see [Remote Services](https://attack.mitre.org/techniques/T1021) and applicable sub-techniques.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42", - "created": "2021-01-04T21:30:14.830Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "ESET Industroyer", - "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - }, - { - "source_name": "Dragos Crashoverride 2017", - "description": "Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.", - "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" - }, - { - "source_name": "Dragos Crashoverride 2018", - "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", - "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" - }, - { - "source_name": "Secureworks IRON VIKING", - "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", - "url": "https://www.secureworks.com/research/threat-profiles/iron-viking" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:46:32.756Z", - "description": "(Citation: Dragos Crashoverride 2018)(Citation: Dragos Crashoverride 2017)(Citation: ESET Industroyer)(Citation: Secureworks IRON VIKING)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919", - "created": "2022-09-27T16:30:41.482Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T16:30:41.482Z", - "description": "Monitor device management protocols for functions that modify programs such as online edit and program append events.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--cba8313b-c338-45f7-88ef-a514094882ac", - "created": "2022-09-28T20:28:39.348Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.446Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to exploit a vulnerable Asrock driver (AsrDrv103.sys) using CVE-2020-15368 to load its own unsigned driver on the system.(Citation: Wylie-22)", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b07e6896-a840-49a1-8d58-94396a902b95", - "created": "2023-03-31T17:56:07.978Z", - "revoked": false, - "external_references": [ - { - "source_name": "ESET Industroyer", - "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-31T17:56:07.978Z", - "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) supplied the name of the payload DLL to [Industroyer](https://attack.mitre.org/software/S0604) via a command line parameter.(Citation: ESET Industroyer)", - "relationship_type": "uses", - "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", - "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--1d35c947-447f-4693-9ab0-32dff56e664e", - "created": "2021-04-13T12:45:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-29T20:19:47.429Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) enumerates and parses the System Data Blocks (SDB) using the s7blk_findfirst and s7blk_findnext API calls in s7otbxdx.dll. Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)\n\n[Stuxnet](https://attack.mitre.org/software/S0603) was specifically targeting CPUs 6ES7-315-2 (Series 300) with special system data block characteristics for sequence A or B and 6ES7-315-2 for sequence C. The PLC type can also be checked using the s7ag_read_szl API.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:18:43.413Z", - "description": "Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:39:20.443Z", - "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--c0efb24a-2329-401a-bba6-817f2867bb3f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.183Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:59:36.071Z", - "description": "Monitor for unexpected deletion of files.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:32:51.548Z", - "description": "Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:46:16.720Z", - "description": "When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--798919d3-df8b-463f-b2be-4c1aa8089384", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-10-14T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.226Z", - "relationship_type": "mitigates", - "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", - "external_references": [ - { - "source_name": "North America Transmission Forum December 2019", - "description": "North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ", - "url": "https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5804ae3d-0daf-47a5-b026-d42878f55803", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.166Z", - "relationship_type": "mitigates", - "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.\n", - "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", - "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--d72e7d01-56be-4fbd-8957-3384533ba83b", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Jos Wetzels January 2018", - "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", - "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:28:23.911Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes. (Citation: Jos Wetzels January 2018)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.192Z", - "relationship_type": "mitigates", - "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n", - "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "external_references": [ - { - "source_name": "D. Parsons and D. Wylie September 2019", - "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", - "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" - }, - { - "source_name": "Colin Gray", - "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", - "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" - }, - { - "source_name": "Josh Rinaldi April 2016", - "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", - "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" - }, - { - "source_name": "Aditya K Sood July 2019", - "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", - "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" - }, - { - "source_name": "Langner November 2018", - "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", - "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--1d399f67-090e-444b-b75d-eed4b1780f08", - "created": "2022-09-26T18:42:16.844Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T18:42:16.844Z", - "description": "Monitor device application logs for firmware changes, although not all devices will produce such logs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--604a9bf0-81a3-425b-9005-779c4f0f749d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.195Z", - "relationship_type": "mitigates", - "description": "Harden the system through operating system controls to prevent the known or unknown use of malicious removable media.\n", - "source_ref": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce", - "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.209Z", - "relationship_type": "mitigates", - "description": "A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.\n", - "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:34:29.743Z", - "description": "Monitor for unexpected ICS protocol command functions to controllers from existing master devices (including from new processes) or from new devices. The latter is like detection for [Rogue Master](https://attack.mitre.org/techniques/T0848) but requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).\n\nMonitoring for unexpected or problematic values below the function level will provide better insights into potentially malicious activity but at the cost of additional false positives depending on the underlying operational process.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1", - "type": "relationship", - "created": "2020-09-22T19:41:27.951Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "Secureworks REvil September 2019", - "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", - "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." - }, - { - "source_name": "Secureworks GandCrab and REvil September 2019", - "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", - "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." - } - ], - "modified": "2020-09-22T19:41:27.951Z", - "description": "(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)", - "relationship_type": "uses", - "source_ref": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", - "target_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--99ec0a8e-4a4f-427c-89db-163e4b206021", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.094Z", - "relationship_type": "mitigates", - "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", - "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", - "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", - "external_references": [ - { - "source_name": "M. Rentschler and H. Heine", - "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", - "url": "https://ieeexplore.ieee.org/document/6505877" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2", - "created": "2023-03-10T20:09:49.009Z", - "revoked": false, - "external_references": [ - { - "source_name": "Marshall Abrams July 2008", - "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", - "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-10T20:09:49.009Z", - "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)", - "relationship_type": "uses", - "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--92ea1c2a-3835-43de-bb56-24e937a6f322", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:31:12.226Z", - "description": "Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (e.g., JScript.dll, vbscript.dll).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3", - "created": "2022-09-27T17:37:02.670Z", - "revoked": false, - "external_references": [ - { - "source_name": "Nzyme Alerts Intro", - "description": "Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved September 26, 2022.", - "url": "https://www.nzyme.org/docs/alerts/intro" - }, - { - "source_name": "Wireless Intrusion Detection", - "description": "Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022.", - "url": "https://apps.dtic.mil/sti/pdfs/ADA466332.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T17:37:02.670Z", - "description": "Purely passive network sniffing cannot be detected effectively. In cases where the adversary interacts with the wireless network (e.g., joining a Wi-Fi network) detection may be possible. Monitor for new or irregular network traffic flows which may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.(Citation: Nzyme Alerts Intro) (Citation: Wireless Intrusion Detection) Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--754521fc-4306-4daa-831b-6b6fb45847e2", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.108Z", - "relationship_type": "mitigates", - "description": "All APIs used to perform execution, especially those hosted on embedded controllers (e.g., PLCs), should provide adequate authorization enforcement of user access. Minimize user's access to only required API calls. (Citation: MITRE June 2020)\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", - "external_references": [ - { - "source_name": "MITRE June 2020", - "description": "MITRE 2020, June CWE CATEGORY: 7PK - API Abuse Retrieved. 2020/09/25 ", - "url": "https://cwe.mitre.org/data/definitions/227.html" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-08T22:29:20.151Z", - "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "relationship_type": "mitigates", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:54:30.385Z", - "description": "Using its protocol payloads, [Industroyer](https://attack.mitre.org/software/S0604) sends unauthorized commands to RTUs to change the state of equipment. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--6c15ec9f-2b48-419c-adc1-f989833f6187", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-10-14T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.224Z", - "relationship_type": "mitigates", - "description": "Install anti-virus software on all workstation and transient assets that may have external access, such as to web, email, or remote file shares.\n", - "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", - "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--730580d4-d68c-407f-9d09-f379e9aefc7e", - "created": "2023-03-30T19:25:41.475Z", - "revoked": false, - "external_references": [ - { - "source_name": "Industroyer2 Forescout July 2022", - "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", - "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T19:25:41.475Z", - "description": "[Industroyer2](https://attack.mitre.org/software/S1072) uses a General Interrogation command to monitor the device’s Information Object Addresses (IOAs) and their IO state values.(Citation: Industroyer2 Forescout July 2022)", - "relationship_type": "uses", - "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", - "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.199Z", - "relationship_type": "mitigates", - "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.097Z", - "relationship_type": "mitigates", - "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", - "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", - "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", - "external_references": [ - { - "source_name": "M. Rentschler and H. Heine", - "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", - "url": "https://ieeexplore.ieee.org/document/6505877" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.128Z", - "relationship_type": "mitigates", - "description": "This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n", - "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", - "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--b48be9f9-de0e-4548-ade3-09d47af52798", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:03:58.153Z", - "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if command messages are blocked.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f664bf42-5fb2-41e5-b790-978ddf866da3", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T17:45:58.655Z", - "description": "Monitor for information collection on assets that may indicate deviations from standard operational tools. Examples include unexpected industrial automation protocol functions, new high volume communication sessions, or broad collection across many hosts within the network. ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--0d305450-d5ca-46fe-8583-36c983dd0a88", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:43:33.144Z", - "description": "Monitor ICS management protocols for functions that change an asset’s operating mode.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7", - "created": "2023-03-30T19:25:22.673Z", - "revoked": false, - "external_references": [ - { - "source_name": "Industroyer2 Forescout July 2022", - "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", - "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T19:25:22.673Z", - "description": "[Industroyer2](https://attack.mitre.org/software/S1072) leverages a hardcoded list of remote-station IP addresses to iteratively initiate communications and collect information across multiple priority IEC-104 priority levels.(Citation: Industroyer2 Forescout July 2022)", - "relationship_type": "uses", - "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", - "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "type": "relationship", "id": "relationship--0c284ce0-0be2-4164-b686-7c383b246aec", @@ -17278,1062 +9624,40 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--48489baf-56c2-423e-964a-0a61688e4a19", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.224Z", - "relationship_type": "mitigates", - "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--95b12e1a-7f21-4fa0-9b2a-c96c7c270625", - "created": "2021-10-14T21:33:27.046Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos", - "description": "Dragos Electrum Retrieved. 2019/10/27 ", - "url": "https://dragos.com/resource/electrum/" - }, - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-04-07T17:01:17.079Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)(Citation: Dragos)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.112Z", - "relationship_type": "mitigates", - "description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n", - "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "FireEye TRITON", - "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \"TRITON\" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.", - "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" - }, - { - "source_name": "DHS CISA February 2019", - "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-29T20:49:30.525Z", - "description": "[Triton](https://attack.mitre.org/software/S1009)'s injector, inject.bin, masquerades as a standard compiled PowerPC program for the Tricon. (Citation: DHS CISA February 2019)\n\n[Triton](https://attack.mitre.org/software/S1009) was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs.(Citation: FireEye TRITON)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a", + "created": "2022-09-27T15:49:26.908Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T17:07:49.346Z", - "description": "Monitor for device alarms produced when program uploads occur, although not all devices will produce such alarms.", + "modified": "2022-09-27T15:49:26.908Z", + "description": "Monitor asset application logs for information that indicate task parameters have changed.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.227Z", - "relationship_type": "mitigates", - "description": "Prevent the use of unsigned executables, such as installers and scripts.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--71c81024-ea36-4853-940a-cd9d4cbcabed", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos December 2017", - "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", - "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:05:39.957Z", - "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment. (Citation: Dragos December 2017)", - "relationship_type": "uses", - "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.178Z", - "relationship_type": "mitigates", - "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:40:51.224Z", - "description": "Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--e5afc447-a241-4773-9a8a-3d6fd205d926", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.106Z", - "relationship_type": "mitigates", - "description": "Utilize exploit protection to prevent activities which may be exploited through malicious web sites.\n", - "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--6acf3236-d7e6-416c-90e5-5cf6bd89e01d", - "created": "2023-03-30T14:09:40.255Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T14:09:40.255Z", - "description": "Monitor for device alarms produced when device management passwords are changed, although not all devices will produce such alarms.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4", - "created": "2022-05-11T16:22:58.808Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:46:05.831Z", - "description": "Monitor for newly constructed web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe). ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--d8f45959-e0fc-4b4f-a074-a3acea926300", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.194Z", - "relationship_type": "mitigates", - "description": "Consider the disabling of features such as AutoRun.\n", - "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", - "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.127Z", - "relationship_type": "mitigates", - "description": "Set and enforce secure password policies for accounts.\n", - "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--2e0769d7-088e-45d5-a262-6dbc91a95073", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:51:31.992Z", - "description": "Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--46332a77-2fd6-4033-96cf-6163172775ec", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.164Z", - "relationship_type": "mitigates", - "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Carl Hurd March 2019", - "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", - "url": "https://www.youtube.com/watch?v=yuZazP22rpI" - }, - { - "source_name": "William Largent June 2018", - "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", - "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:31:19.732Z", - "description": "The [VPNFilter](https://attack.mitre.org/software/S1010) packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. Packets that are not on port 502, are scanned for BasicAuth, and that information is logged. This may have allowed credential harvesting from communications between devices accessing a modbus-enabled HMI. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", - "relationship_type": "uses", - "source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--193c3cd3-0b22-4839-a1fa-413aee61e882", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:30:40.378Z", - "description": "Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--8a07f92e-9384-4967-9cd9-ffa08a0e55bf", - "created": "2023-03-30T19:01:40.038Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T19:01:40.038Z", - "description": "Monitor for any suspicious attempts to enable scripts running on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", - "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--642cae89-bb5c-46f3-9fea-8d747b930c35", - "created": "2023-03-10T20:11:10.018Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Marshall Abrams July 2008", - "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", - "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-04-05T22:03:14.174Z", - "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community's affected rivers.(Citation: Marshall Abrams July 2008)", - "relationship_type": "uses", - "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", - "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--be532c78-daf5-431b-adae-ab11af395513", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:16:39.070Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--7d5759cd-890e-4ec5-b92b-aba225d52960", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-21T13:49:40.767Z", - "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f", - "created": "2022-09-26T18:41:48.947Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T18:41:48.947Z", - "description": "Monitor for firmware changes which may be observable via operational alarms from devices.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.150Z", - "relationship_type": "mitigates", - "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--c6520346-fe47-44ce-af75-d99004ac2977", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:17:59.179Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:11:14.662Z", - "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:17:44.736Z", - "description": "Monitor ICS automation protocols for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many protocols provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--7db9687b-7099-4cb6-a040-bc32fc549a81", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.195Z", - "relationship_type": "mitigates", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:45:37.289Z", - "description": "Monitor authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours, including use of [Valid Accounts](https://attack.mitre.org/techniques/T0859).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.240Z", - "relationship_type": "mitigates", - "description": "Reduce the range of RF communications to their intended operating range when possible. Propagation reduction methods may include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n", - "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", - "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", - "external_references": [ - { - "source_name": "DHS National Urban Security Technology Laboratory April 2019", - "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", - "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ae10e97a-90ac-498b-8601-01081dc4af8b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-12T18:59:17.429Z", - "modified": "2022-05-06T17:47:24.188Z", - "relationship_type": "mitigates", - "description": "Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.\n", - "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.101Z", - "relationship_type": "mitigates", - "description": "Ensure remote commands that enable device shutdown are disabled if they are not necessary. Examples include DNP3's 0x0D function code or unnecessary device management functions.\n", - "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-21T16:46:30.174Z", - "description": "Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--648c6649-5861-4b43-a7e5-a9665bafb576", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:17:15.157Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--97641754-f215-4b8f-b0cd-0d3142053c76", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "McAfee CHIPSEC Blog", - "description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.", - "url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/" - }, - { - "source_name": "MITRE Copernicus", - "description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.", - "url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about" - }, - { - "source_name": "Intel HackingTeam UEFI Rootkit", - "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017.", - "url": "http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html" - }, - { - "source_name": "Github CHIPSEC", - "description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.", - "url": "https://github.com/chipsec/chipsec" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:48:56.024Z", - "description": "Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.201Z", - "relationship_type": "mitigates", - "description": "Consider removal or disabling of programs and features which may be used to run malicious scripts (e.g., scripting language IDEs, PowerShell, visual studio).\n", - "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.203Z", - "relationship_type": "mitigates", - "description": "Deploy anti-virus on all systems that support external email.\n", - "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:11:30.678Z", - "description": "Monitor operational process data for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", - "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--32dbed4e-4dbe-4872-a013-c96111ed102e", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - }, - { - "source_name": "ICS-CERT February 2016", - "description": "ICS-CERT 2016, February 25 Cyber-Attack Against Ukrainian Critical Infrastructure Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01" - }, - { - "source_name": "John Hultquist January 2016", - "description": "John Hultquist 2016, January 07 Sandworm Team and the Ukrainian Power Authority Attacks Retrieved. 2019/03/08 ", - "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" - }, - { - "source_name": "Zetter, Kim March 2016", - "description": "Zetter, Kim 2016, March 03 INSIDE THE CUNNING, UNPRECEDENTED HACK OF UKRAINE'S POWER GRID Retrieved. 2019/03/08 ", - "url": "https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:54:58.823Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) harvested VPN worker credentials and used them to remotely log into control system networks. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016) (Citation: Zetter, Kim March 2016) (Citation: ICS-CERT February 2016) (Citation: John Hultquist January 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ca64a927-f050-41b3-80d3-93d22cdef26a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.081Z", - "relationship_type": "mitigates", - "description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n", - "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", - "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d", - "created": "2022-09-30T15:28:37.614Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-30T15:28:37.614Z", - "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T17:15:27.767Z", - "description": "Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:49:29.157Z", - "description": "Monitor asset log which may provide information that an asset has been placed into Firmware Update Mode. Some assets may log firmware updates themselves without logging that the device has been placed into update mode.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.127Z", - "relationship_type": "mitigates", - "description": "Once an adversary has access to a remote GUI they can abuse system features, such as required HMI functions.\n", - "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", - "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.201Z", - "relationship_type": "mitigates", - "description": "Audit the integrity of PLC system and application code functionality, such as the manipulation of standard function blocks (e.g., Organizational Blocks) that manage the execution of application logic programs. (Citation: IEC February 2019)\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", - "external_references": [ - { - "source_name": "IEC February 2019", - "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", - "url": "https://webstore.iec.ch/publication/34421" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f", - "created": "2022-09-27T18:40:11.818Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T19:12:41.739Z", - "description": "In the case of detecting collection from shared network drives monitor for unexpected and abnormal accesses to network shares. ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9", - "created": "2022-09-23T16:36:40.950Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T15:50:45.583Z", - "description": "Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs and tasks. Data from these platforms can be used to identify modified controller tasking.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a86cee0a-dc49-4c95-b5dc-37405337490b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.079Z", - "relationship_type": "mitigates", - "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--98b229f8-6020-4fbb-b104-54fd478c14d9", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:29:49.652Z", - "description": "Monitor logon sessions for default credential use.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", - "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--26e58427-a2bd-4e77-9939-16ef60a072e7", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--0c72593d-fcc6-4023-8771-bed5e243310e", + "created": "2023-09-28T21:24:37.417Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2023-03-21T13:49:04.746Z", - "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--07c0e166-f05e-413f-8f3e-f487317c9626", - "created": "2023-03-22T15:53:59.953Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-22T15:53:59.953Z", - "description": "Devices and programs that receive command messages from remote systems (e.g., control servers) should verify those commands before taking any actions on them.", - "relationship_type": "mitigates", - "source_ref": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "modified": "2023-09-28T21:24:37.417Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_deprecated": false, "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -18342,1601 +9666,115 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--f862418a-e7b4-4783-8949-7145f3dee665", + "id": "relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.104Z", + "modified": "2022-05-06T17:47:24.070Z", "relationship_type": "mitigates", - "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--26254163-4f25-4d30-8456-ca093459ff32", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:32:29.856Z", - "description": "Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery. ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:50:54.867Z", - "description": "On Windows and Unix systems monitor executed commands and arguments that may use shell commands for execution. Shells may be common on administrator, developer, or power user systems depending on job function.\n\nOn network device and embedded system CLIs consider reviewing command history if unauthorized or suspicious commands were used to modify device configuration.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.130Z", - "relationship_type": "mitigates", - "description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Steps should be taken to periodically inventory internet accessible devices to determine if it differs from the expected.\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--692324b4-064a-430c-8ffc-7f7acd537778", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Symantec", - "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", - "url": "https://docs.broadcom.com/doc/w32-duqu-11-en" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T19:10:47.409Z", - "description": "[Duqu](https://attack.mitre.org/software/S0038) downloads additional modules for the collection of data in information repositories, including the Infostealer 2 module that can access data from Windows Shares.(Citation: Symantec)", - "relationship_type": "uses", - "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:17:25.451Z", - "description": "Monitor for newly executed processes related to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may use [Valid Accounts](https://attack.mitre.org/techniques/T0859) to login and may perform follow-on actions that spawn additional processes as the user.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec", - "created": "2022-09-26T15:38:45.913Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:38:45.913Z", - "description": "Monitor for loss of expected device alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--2057ec71-a94f-49cc-b348-2eeb44899afd", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T18:40:20.312Z", - "description": "Monitor for changes made to a large quantity of files for unexpected modifications in both user directories and directories used to store programs and OS components (e.g., C:\\Windows\\System32). ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.229Z", - "relationship_type": "mitigates", - "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:14:57.034Z", - "description": "Monitor for alarm setting changes observable in automation or management network protocols.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8", - "created": "2023-03-31T17:44:19.711Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos Crashoverride 2018", - "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", - "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-04-07T19:50:55.445Z", - "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used a VBS script to facilitate lateral tool transfer. The VBS script was used to copy ICS-specific payloads with the following command: `cscript C:\\Backinfo\\ufn.vbs C:\\Backinfo\\101.dll C:\\Delta\\101.dll`(Citation: Dragos Crashoverride 2018)", - "relationship_type": "uses", - "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:11:33.323Z", - "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022", - "created": "2022-09-27T17:39:15.655Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:56:24.399Z", - "description": "Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as Server Message Block (SMB).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.220Z", - "relationship_type": "mitigates", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Robert Falcone, Bryan Lee May 2016", - "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", - "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:32:03.970Z", - "description": "[OilRig](https://attack.mitre.org/groups/G0049) has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.(Citation: Robert Falcone, Bryan Lee May 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.220Z", - "relationship_type": "mitigates", - "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", - "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-28T18:44:20.611Z", - "description": "Monitor for unexpected ICS protocol functions from new and existing devices. Monitoring known devices requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:49:07.316Z", - "description": "Monitor device alarms that indicate the devices has been placed into Firmware Update Mode, although not all devices produce such alarms.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.177Z", - "relationship_type": "mitigates", - "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.160Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-08T22:28:50.588Z", - "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "relationship_type": "mitigates", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.157Z", - "relationship_type": "mitigates", - "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "MDudek-ICS", - "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", - "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:27:15.545Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) uses TriStations default UDP port, 1502, to communicate with devices. (Citation: MDudek-ICS)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:16:10.677Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "ESET", - "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:10:58.645Z", - "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) can collect AutoCad files with drawings. These drawings may contain operational information. (Citation: ESET)\n", - "relationship_type": "uses", - "source_ref": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", - "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--351e19c4-c16e-493a-9800-a433107aacf1", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "DHS CISA February 2019", - "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:24:36.935Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502. (Citation: DHS CISA February 2019)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.084Z", - "relationship_type": "mitigates", - "description": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques likeDomain Fronting.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5041e17d-6349-4589-8c61-7b43964b5f9b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-10-14T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.227Z", - "relationship_type": "mitigates", - "description": "Integrity checking of transient assets can include performing the validation of the booted operating system and programs using TPM-based technologies, such as Secure Boot and Trusted Boot. (Citation: Emerson Exchange) It can also include verifying filesystem changes, such as programs and configuration files stored on the system, executing processes, libraries, accounts, and open ports. (Citation: National Security Agency February 2016)\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", - "external_references": [ - { - "source_name": "Emerson Exchange", - "description": "Emerson Exchange Increase Security with TPM, Secure Boot, and Trusted Boot Retrieved. 2020/09/25 ", - "url": "https://emersonexchange365.com/products/control-safety-systems/f/plc-pac-systems-industrial-computing-forum/8383/increase-security-with-tpm-secure-boot-and-trusted-boot" - }, - { - "source_name": "National Security Agency February 2016", - "description": "National Security Agency 2016, February Position Zero: Integrity Checking Windows-Based ICS/SCADA Systems Retrieved. 2020/09/25 ", - "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--f29ecf69-1753-44bb-9b80-1025f49cadda", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:24:02.276Z", - "description": "DP_RECV is the name of a standard function block used by network coprocessors. It is used to receive network frames on the Profibus a standard industrial network bus used for distributed I/O. The original block is copied to FC1869, and then replaced by a malicious block. Each time the function is used to receive a packet, the malicious [Stuxnet](https://attack.mitre.org/software/S0603) block takes control: it will call the original DP_RECV in FC1869 and then perform postprocessing on the packet data. The replaced DP_RECV block (later on referred to as the DP_RECV monitor) is meant to monitor data sent by the frequency converter drives to the 315-2 CPU via CP 342-5 Profibus communication modules. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--4631bf49-da0b-4415-a226-112c99ff0f64", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T19:22:17.841Z", - "description": "Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For added context on adversary procedures and background see [Remote Services](https://attack.mitre.org/techniques/T1021) and applicable sub-techniques.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Hydro", - "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", - "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" - }, - { - "source_name": "Kevin Beaumont", - "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", - "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:57:06.704Z", - "description": "Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0372) infection. This resulted in a loss of control which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)", - "relationship_type": "uses", - "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", - "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.145Z", - "relationship_type": "mitigates", - "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", + "description": "Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.\n", "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-10-14T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.226Z", - "relationship_type": "mitigates", - "description": "Consider implementing full disk encryption, especially if engineering workstations are transient assets that are more likely to be lost, stolen, or tampered with. (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", - "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:21:24.221Z", - "description": "When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, [Stuxnet](https://attack.mitre.org/software/S0603) prevents an operator from noticing unauthorized commands sent to the peripheral. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--99c0c90e-8526-41d6-80ca-b037598c6326", - "created": "2022-09-26T19:37:35.412Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8", + "created": "2023-09-28T19:51:27.775Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T19:36:13.269Z", - "description": "Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "modified": "2023-09-28T19:51:27.775Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_deprecated": false, "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b", - "created": "2022-05-11T16:22:58.806Z", + "id": "relationship--0d305450-d5ca-46fe-8583-36c983dd0a88", + "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T16:24:52.417Z", - "description": "Monitor device alarms for program downloads, although not all devices produce such alarms.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:41:46.146Z", - "description": "Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee", - "created": "2022-09-29T14:26:04.715Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-29T14:26:04.715Z", - "description": "Monitor network traffic for hardcoded credential use in protocols that allow unencrypted authentication.", + "modified": "2022-09-26T16:43:33.144Z", + "description": "Monitor ICS management protocols for functions that change an asset’s operating mode.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Andy Greenburg June 2019", - "description": "Andy Greenburg 2019, June 20 Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount Retrieved. 2020/01/03 ", - "url": "https://www.wired.com/story/iran-hackers-us-phishing-tensions/" - }, - { - "source_name": "Jacqueline O'Leary et al. September 2017", - "description": "Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02 ", - "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T15:41:49.943Z", - "description": "[APT33](https://attack.mitre.org/groups/G0064) sent spear phishing emails containing links to HTML application files, which were embedded with malicious code. (Citation: Jacqueline O'Leary et al. September 2017) [APT33](https://attack.mitre.org/groups/G0064) has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies. (Citation: Andy Greenburg June 2019)", - "relationship_type": "uses", - "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--671043a9-337f-411a-9ca9-3112e897ab09", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.184Z", - "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.123Z", - "relationship_type": "mitigates", - "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", - "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d", - "created": "2022-05-11T16:22:58.808Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:45:25.119Z", - "description": "Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.154Z", - "relationship_type": "mitigates", - "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412", - "created": "2018-10-17T00:14:20.652Z", + "id": "relationship--0d4f2f88-e176-42c7-8258-52b345045662", + "created": "2022-09-28T20:29:51.844Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Robert Falcone, Bryan Lee May 2016", - "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", - "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T16:32:31.072Z", - "description": "[OilRig](https://attack.mitre.org/groups/G0049) communicated with its command and control using HTTP requests. (Citation: Robert Falcone, Bryan Lee May 2016)", + "modified": "2022-10-12T15:17:08.493Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely send commands to a malicious agent uploaded on Omron PLCs over HTTP or HTTPS.(Citation: CISA-AA22-103A) ", "relationship_type": "uses", - "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:33:51.166Z", - "description": "Monitor for new master devices communicating with outstation assets, which may be visible in asset application logs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--990f944f-190d-456d-b194-f5ecb17a0868", - "created": "2019-06-24T17:20:24.258Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Catalin Cimpanu April 2016", - "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", - "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:40:11.392Z", - "description": "A [Conficker](https://attack.mitre.org/software/S0608) infection at a nuclear power plant forced the facility to temporarily shutdown. (Citation: Catalin Cimpanu April 2016)", - "relationship_type": "uses", - "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", - "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95", - "created": "2022-09-27T17:22:27.241Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:54:23.870Z", - "description": "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", - "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", - "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--20f66fab-7a08-4707-ac79-92dac5acd11d", - "created": "2021-04-13T11:15:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", - "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", - "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:00:13.772Z", - "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006)'s code is stored in OB9999. The original code on the target is untouched. The OB is automatically detected by the PLC and executed. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", - "relationship_type": "uses", - "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", - "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--1aa02c37-973e-46bd-ab45-609463e514e9", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.228Z", - "relationship_type": "mitigates", - "description": "If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.\n", - "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--b8b1739d-dfa2-44e9-907f-7085e262512f", - "created": "2022-05-11T16:22:58.808Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--0d52eea3-394e-492b-944b-9ccb6348329d", + "created": "2023-09-28T21:14:41.633Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T19:01:52.517Z", - "description": "Monitor login sessions for new or unexpected devices or sessions on wireless networks.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", - "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T16:44:06.211Z", - "description": "Monitor for changes made to Windows Registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal](https://attack.mitre.org/techniques/T1070) and applicable sub-techniques.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:42:04.422Z", - "description": "Monitor for newly constructed files written to disk through a user visiting a website over the normal course of browsing.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f15f24d2-e581-46ce-83e4-a924f572aae6", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.065Z", - "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--686cbd74-ef49-4e77-9599-21777d3a4738", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.174Z", - "relationship_type": "mitigates", - "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--d1971b32-3a15-4544-9f36-80c05121deb6", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.160Z", - "relationship_type": "mitigates", - "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--79d05cb2-ded0-4847-b52e-af7af421f303", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Kevin Savage and Branko Spasojevic", - "description": "Kevin Savage and Branko Spasojevic W32.Flamer Retrieved. 2019/11/03 ", - "url": "https://web.archive.org/web/20190930124504/https://www.symantec.com/security-center/writeup/2012-052811-0308-99" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:50:07.974Z", - "description": "[Flame](https://attack.mitre.org/software/S0143) can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information. (Citation: Kevin Savage and Branko Spasojevic)", - "relationship_type": "uses", - "source_ref": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a", - "created": "2021-04-13T11:15:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "DHS CISA February 2019", - "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" - }, - { - "source_name": "Jos Wetzels January 2018", - "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", - "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:25:29.480Z", - "description": "[Triton](https://attack.mitre.org/software/S1009)'s argument-setting and inject.bin shellcode are added to the program table on the Tricon so that they are executed by the firmware once each cycle. (Citation: DHS CISA February 2019) (Citation: Jos Wetzels January 2018)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--73a48431-3597-4a72-acb8-c1e5019073e2", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Twitter ItsReallyNick Masquerading Update", - "description": "Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.", - "url": "https://twitter.com/ItsReallyNick/status/1055321652777619457" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:41:24.266Z", - "description": "Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.(Citation: Twitter ItsReallyNick Masquerading Update)", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ab306654-2abb-4983-8d30-df4058adb06c", - "created": "2021-04-12T18:49:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Selena Larson, Camille Singleton December 2020", - "description": "Selena Larson, Camille Singleton 2020, December RANSOMWARE IN ICS ENVIRONMENTS Retrieved. 2021/04/12 ", - "url": "https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf?utm_referrer=https%3A%2F%2Fwww.dragos.com%2Fresource%2Fransomware-in-ics-environments%2F" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:06:16.474Z", - "description": "The [REvil](https://attack.mitre.org/software/S0496) malware gained access to an organizations network and encrypted sensitive files used by OT equipment. (Citation: Selena Larson, Camille Singleton December 2020)", - "relationship_type": "uses", - "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--111f437a-c67d-40e4-9515-7e9b22e65eff", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.234Z", - "relationship_type": "mitigates", - "description": "Audit domain and local accounts and their permission levels routinely to look for situations that could allow an adversary to gain system wide access with stolen privileged account credentials. (Citation: Microsoft May 2017) (Citation: Microsoft August 2018)These audits should also identify if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft February 2019)\n", - "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "external_references": [ - { - "source_name": "Microsoft May 2017", - "description": "Microsoft 2017, May Attractive Accounts for Credential Theft Retrieved. 2020/09/25 ", - "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft" - }, - { - "source_name": "Microsoft August 2018", - "description": "Microsoft 2018, August Implementing Least-Privilege Administrative Models Retrieved. 2020/09/25 ", - "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models" - }, - { - "source_name": "Microsoft February 2019", - "description": "Microsoft 2019, February Active Directory administrative tier model Retrieved. 2020/09/25 ", - "url": "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4", - "created": "2022-05-11T16:22:58.808Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T15:55:14.211Z", - "description": "Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads. For added context on adversary procedures and background see [User Execution](https://attack.mitre.org/techniques/T1204) and applicable sub-techniques.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos", - "description": "Dragos Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 Magnallium Retrieved. 2019/10/27 ", - "url": "https://dragos.com/resource/magnallium/" - }, - { - "source_name": "Symantec March 2019", - "description": "Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 ", - "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T15:42:15.944Z", - "description": "[APT33](https://attack.mitre.org/groups/G0064) utilized PowerShell scripts to establish command and control and install files for execution. (Citation: Symantec March 2019) (Citation: Dragos)", - "relationship_type": "uses", - "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:58:34.751Z", - "description": "Monitor executed commands and arguments for binaries that could be involved in data destruction activity, such as SDelete.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f584a257-c22a-434b-aa2d-6220987821ab", - "created": "2021-10-13T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Jos Wetzels January 2018", - "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", - "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:29:11.326Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments. (Citation: Jos Wetzels January 2018)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c", - "created": "2023-03-10T20:36:34.109Z", - "revoked": false, - "external_references": [ - { - "source_name": "Marshall Abrams July 2008", - "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", - "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-10T20:36:34.109Z", - "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a two-way radio to communicate with and set the frequencies of Maroochy Shire's repeater stations.(Citation: Marshall Abrams July 2008)", - "relationship_type": "uses", - "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", - "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "modified": "2023-09-28T21:14:41.633Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_deprecated": false, "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:09:42.474Z", - "description": "Monitor network traffic for ICS functions related to write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--4369da69-bb09-4cc8-8600-081a450f50e0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.120Z", - "relationship_type": "mitigates", - "description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n", - "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--06f15629-d050-434a-aed1-3bb3f90c97b2", - "created": "2022-09-27T15:22:37.864Z", - "revoked": false, - "external_references": [ - { - "source_name": "Elastic - Koadiac Detection with EQL", - "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.", - "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T15:22:37.864Z", - "description": "Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.(Citation: Elastic - Koadiac Detection with EQL) For added context on adversary procedures and background see [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--82b20c35-88c6-49aa-8241-a59512b17b74", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - }, - { - "source_name": "Langer Stuxnet", - "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.", - "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-17T16:00:35.053Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened. (Citation: Langer Stuxnet)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--6258c355-677c-452d-b1fc-27767232437b", - "created": "2019-03-26T16:19:52.358Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Joe Slowik April 2019", - "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", - "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:58:23.141Z", - "description": "[NotPetya](https://attack.mitre.org/software/S0368) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", - "relationship_type": "uses", - "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919", + "id": "relationship--0d540b53-6a5d-4f56-9dee-47707443b149", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T17:00:06.347Z", - "description": "Monitor ICS management protocols for parameter changes, including for unexpected values, changes far exceeding standard values, or for parameters being changed in an unexpected way (e.g., via a new function, at an unusual time).", + "modified": "2022-09-30T16:00:14.208Z", + "description": "Monitor ICS automation network protocols for functions related to reading an operational process state (e.g., “Read” function codes in protocols like DNP3 or Modbus). In some cases, there may be multiple ways to monitor an operational process’ state, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--dded2d68-35c7-42c4-af10-efe7731673e3", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.108Z", - "relationship_type": "mitigates", - "description": "All APIs on remote systems or local processes should require the authentication of users before executing any code or system changes.\n", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:37:24.268Z", - "description": "Monitor for unexpected files (e.g., .pdf, .docx, .jpg) viewed for collecting internal data.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", - "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -19944,21 +9782,40 @@ }, { "type": "relationship", - "id": "relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--0d8e0324-ba8e-4712-a123-60377afe94da", + "created": "2023-09-29T18:48:17.073Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T19:39:13.371Z", - "description": "Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "modified": "2023-09-29T18:48:17.073Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136", + "created": "2023-09-29T17:57:12.010Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:57:12.010Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { @@ -19981,48 +9838,39 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "type": "relationship", - "id": "relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:56:58.977Z", - "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", + "type": "relationship", + "id": "relationship--0df0cb6d-0067-48b2-a33e-495415713ab7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.181Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--62e818b8-38e6-42ff-9424-9a327332eb2a", - "created": "2022-09-29T20:02:37.671Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954", + "created": "2023-09-29T16:27:50.949Z", "revoked": false, - "external_references": [ - { - "source_name": "ESET Industroyer", - "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2023-03-17T15:22:56.606Z", - "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 component sends the domain-specific MMSgetNameList request to determine what logical nodes the device supports. It then searches the logical nodes for the CSW value, which indicates the device performs a circuit breaker or switch control function.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604)'s OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: ctlSelOn, ctlOperOn, ctlSelOff, ctlOperOff, Pos and stVal.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604) IEC 60870-5-104 module includes a range mode to discover Information Object Addresses (IOAs) by enumerating through each.(Citation: ESET Industroyer)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "modified": "2023-09-29T16:27:50.949Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", "x_mitre_deprecated": false, "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { @@ -20070,6 +9918,1616 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.202Z", + "relationship_type": "mitigates", + "description": "Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n", + "source_ref": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos", + "description": "Dragos Allanite Retrieved. 2019/10/27 ", + "url": "https://dragos.com/resource/allanite/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:40:08.649Z", + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) utilized credentials collected through phishing and watering hole attacks. (Citation: Dragos)", + "relationship_type": "uses", + "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29", + "created": "2023-09-29T17:57:34.378Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:57:34.378Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Andy Greenburg June 2019", + "description": "Andy Greenburg 2019, June 20 Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount Retrieved. 2020/01/03 ", + "url": "https://www.wired.com/story/iran-hackers-us-phishing-tensions/" + }, + { + "source_name": "Jacqueline O'Leary et al. September 2017", + "description": "Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02 ", + "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:41:49.943Z", + "description": "[APT33](https://attack.mitre.org/groups/G0064) sent spear phishing emails containing links to HTML application files, which were embedded with malicious code. (Citation: Jacqueline O'Leary et al. September 2017) [APT33](https://attack.mitre.org/groups/G0064) has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies. (Citation: Andy Greenburg June 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0f5295ce-d705-4541-8dda-c569b126d103", + "created": "2023-10-02T20:24:03.723Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:24:03.723Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72", + "created": "2023-09-29T17:09:11.210Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:09:11.210Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.197Z", + "relationship_type": "mitigates", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.209Z", + "relationship_type": "mitigates", + "description": "Ensure proper network segmentation between higher level corporate resources and the control process environment.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.137Z", + "relationship_type": "mitigates", + "description": "Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n", + "source_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", + "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.229Z", + "relationship_type": "mitigates", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--10626671-941d-4a82-a835-56059058ef87", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.065Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--106530e1-375a-4ac4-befb-8297b3b05610", + "created": "2023-09-29T18:55:58.199Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:55:58.199Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--107d9a23-991b-44f5-97f6-7f6983c7013a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.099Z", + "relationship_type": "mitigates", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--10e87e4b-a231-42e3-a011-0031f8226936", + "created": "2022-09-26T17:15:51.819Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:15:51.819Z", + "description": "Monitor for firmware changes which may be observable via operational alarms from devices.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:09:35.145Z", + "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if reporting messages are blocked. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--111f437a-c67d-40e4-9515-7e9b22e65eff", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.234Z", + "relationship_type": "mitigates", + "description": "Audit domain and local accounts and their permission levels routinely to look for situations that could allow an adversary to gain system wide access with stolen privileged account credentials. (Citation: Microsoft May 2017) (Citation: Microsoft August 2018)These audits should also identify if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft February 2019)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "external_references": [ + { + "source_name": "Microsoft May 2017", + "description": "Microsoft 2017, May Attractive Accounts for Credential Theft Retrieved. 2020/09/25 ", + "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft" + }, + { + "source_name": "Microsoft August 2018", + "description": "Microsoft 2018, August Implementing Least-Privilege Administrative Models Retrieved. 2020/09/25 ", + "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models" + }, + { + "source_name": "Microsoft February 2019", + "description": "Microsoft 2019, February Active Directory administrative tier model Retrieved. 2020/09/25 ", + "url": "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--11840b30-f0d1-4df5-a960-cdb80749c32a", + "created": "2023-09-29T17:07:25.209Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:07:25.209Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--11a82651-4d69-4738-89c6-17d0243cbbb0", + "created": "2023-09-29T17:37:26.536Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:37:26.536Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:07:03.003Z", + "description": "Program uploads may be observable in ICS management protocols or file transfer protocols. Note when protocol functions related to program uploads occur. In cases where the ICS protocols is not well understood, one option is to examine network traffic for the program files themselves using signature-based tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab", + "created": "2021-04-13T12:28:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ben Hunter and Fred Gutierrez July 2020", + "description": "Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ", + "url": "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems" + }, + { + "source_name": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020", + "description": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly 2020, July 15 Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT Retrieved. 2021/04/12 ", + "url": "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:45:28.094Z", + "description": "Before encrypting the process, [EKANS](https://attack.mitre.org/software/S0605) first kills the process if its name matches one of the processes defined on the kill-list. (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. (Citation: Ben Hunter and Fred Gutierrez July 2020)", + "relationship_type": "uses", + "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--128de3f9-df58-4122-9523-0ac65a6ebf71", + "created": "2023-09-29T17:45:20.237Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:45:20.237Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:10:34.653Z", + "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693", + "type": "relationship", + "created": "2022-03-09T23:42:34.056Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Secureworks IRON VIKING ", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." + } + ], + "modified": "2022-03-09T23:42:34.056Z", + "description": "(Citation: Secureworks IRON VIKING )", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.077Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4", + "created": "2023-09-28T21:13:23.057Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:13:23.057Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36", + "created": "2023-09-28T19:39:58.335Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:39:58.335Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f", + "created": "2022-09-26T18:41:48.947Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T18:41:48.947Z", + "description": "Monitor for firmware changes which may be observable via operational alarms from devices.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--13809e98-1d74-4c39-b882-9d523c76cbde", + "created": "2021-04-13T12:36:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:24:07.929Z", + "description": "[Triton](https://attack.mitre.org/software/S1009)'s imain.bin payload takes commands from the TsHi.ExplReadRam(Ex), TsHi.ExplWriteRam(Ex) and TsHi.ExplExec functions to perform operations on controller memory and registers using syscalls written in PowerPC shellcode. (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.071Z", + "relationship_type": "mitigates", + "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--13d76624-7049-45c5-94d3-8f172b7f6336", + "created": "2023-09-27T14:48:58.922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-27T15:18:18.595Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) established an internal proxy prior to the installation of backdoors within the network. (Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:38:23.604Z", + "description": "Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6", + "created": "2023-10-02T20:24:12.666Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:24:12.666Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc", + "created": "2023-09-29T16:32:33.078Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:32:33.078Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--147c2158-b2af-4d88-9d59-594c67a9200e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.204Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495", + "created": "2023-09-29T16:40:06.079Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:40:06.079Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--15188683-7ded-4578-9102-73459ecbe095", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:37:54.914Z", + "description": "Monitor for newly executed processes related to services specifically designed to accept remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) and [Valid Accounts](https://attack.mitre.org/techniques/T0859) may be used to access a host’s GUI.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a", + "created": "2023-09-28T19:47:25.303Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:47:25.303Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--154de746-5ea2-43b4-97b2-221b2433cbde", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:48:49.308Z", + "description": "Monitor ICS automation network protocols for information that an asset has been placed into Firmware Update Mode.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--159fb736-ba92-4564-aa6d-db6f64497763", + "created": "2023-09-28T20:25:59.717Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:25:59.717Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--15a39e3b-124e-4e68-95b5-7b8020225c12", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:30:27.289Z", + "description": "Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b", + "created": "2023-09-28T20:06:03.889Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:06:03.889Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4", + "created": "2023-09-29T18:48:52.853Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:48:52.853Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d", + "created": "2023-03-30T18:57:58.377Z", + "revoked": false, + "external_references": [ + { + "source_name": "Symantec", + "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", + "url": "https://docs.broadcom.com/doc/w32-duqu-11-en" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T18:57:58.377Z", + "description": "[Duqu](https://attack.mitre.org/software/S0038) downloads additional modules for the collection of data from local systems. The modules are named: infostealer 1, infostealer 2 and reconnaissance. (Citation: Symantec)", + "relationship_type": "uses", + "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749", + "created": "2023-09-29T17:05:30.498Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:05:30.498Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.128Z", + "relationship_type": "mitigates", + "description": "This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa", + "created": "2023-10-02T20:18:01.546Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:18:01.546Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab", + "created": "2023-09-29T17:45:45.485Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:45:45.485Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--17fdec71-98e8-4314-a1be-037edede58bd", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:26:48.171Z", + "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1865830b-511d-4302-99f7-6143647a8e40", + "created": "2023-10-02T20:23:52.339Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:23:52.339Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--18af193c-160a-4cae-9078-4d69de5c2347", + "created": "2023-09-29T18:56:21.340Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:56:21.340Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75", + "created": "2023-09-29T18:02:01.822Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:02:01.822Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--18ef2d69-d11a-4d31-a803-da989c4073f7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.096Z", + "relationship_type": "mitigates", + "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--193c3cd3-0b22-4839-a1fa-413aee61e882", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:30:40.378Z", + "description": "Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--19ab6776-42de-48af-975a-568d31a3bb66", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.152Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016) (Citation: N/A)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "N/A", + "description": "N/A Department of Homeland Security 2016, September Retrieved. 2020/09/25 Alarm Management for Process Control Retrieved. 2020/09/25 ", + "url": "https://www.exida.com/images/uploads/18492275-Alarm-Management-for-Process-Control.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348", + "created": "2022-09-28T21:18:55.279Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:17:21.181Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can send custom Modbus commands to write register values on Schneider PLCs.(Citation: CISA-AA22-103A) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can send write tag values on OPC UA servers.(Citation: CISA-AA22-103A) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c", + "created": "2023-09-28T20:11:23.956Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:11:23.956Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826", + "created": "2023-09-28T21:13:49.529Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:13:49.529Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0", + "created": "2023-10-02T20:18:45.122Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:18:45.122Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.106Z", + "relationship_type": "mitigates", + "description": "Ensure all browsers and plugins are kept updated to help prevent the exploit phase of this technique. Use modern browsers with security features enabled.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--1a900ac4-c150-4b57-a899-990854b01d4b", + "created": "2023-09-29T16:33:50.423Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:33:50.423Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356", + "created": "2023-09-29T18:57:45.950Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:57:45.950Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d", + "created": "2023-09-28T20:09:21.736Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:09:21.736Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1aa02c37-973e-46bd-ab45-609463e514e9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.228Z", + "relationship_type": "mitigates", + "description": "If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.\n", + "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--1acccbe8-64e1-49ad-87df-215d5c87f050", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:42:43.105Z", + "description": "Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185", + "created": "2023-09-29T18:01:06.725Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:01:06.725Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5", + "created": "2023-09-29T17:43:41.332Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:43:41.332Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b", + "created": "2023-09-29T16:41:44.745Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:41:44.745Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738", + "created": "2023-09-29T18:00:32.581Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:00:32.581Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:11:33.323Z", + "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1c3d966a-5995-48ed-919d-25b972010fe9", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:37:12.017Z", + "description": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1c7df4f1-cee5-42c6-a974-29552552666f", + "created": "2023-09-28T19:47:08.952Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:47:08.952Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1c831708-28c2-47ae-a158-39f1f7b73406", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T20:10:57.573Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.(Citation: Anton Cherepanov, ESET June 2017)\n\n[Industroyer](https://attack.mitre.org/software/S0604) contains an OPC DA module that enumerates all OPC servers using the `ICatInformation::EnumClassesOfCategories` method with `CATID_OPCDAServer20` category identifier and `IOPCServer::GetStatus` to identify the ones running.", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081", + "created": "2023-09-29T18:46:12.052Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:46:12.052Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1d35c947-447f-4693-9ab0-32dff56e664e", + "created": "2021-04-13T12:45:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T20:19:47.429Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) enumerates and parses the System Data Blocks (SDB) using the s7blk_findfirst and s7blk_findnext API calls in s7otbxdx.dll. Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)\n\n[Stuxnet](https://attack.mitre.org/software/S0603) was specifically targeting CPUs 6ES7-315-2 (Series 300) with special system data block characteristics for sequence A or B and 6ES7-315-2 for sequence C. The PLC type can also be checked using the s7ag_read_szl API.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1d399f67-090e-444b-b75d-eed4b1780f08", + "created": "2022-09-26T18:42:16.844Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T18:42:16.844Z", + "description": "Monitor device application logs for firmware changes, although not all devices will produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653", + "created": "2023-09-29T17:40:22.705Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:40:22.705Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57", + "created": "2023-09-27T13:22:26.752Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-27T13:25:35.597Z", + "description": "(Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335", + "created": "2021-04-13T12:28:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ben Hunter and Fred Gutierrez July 2020", + "description": "Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ", + "url": "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:46:56.223Z", + "description": "[EKANS](https://attack.mitre.org/software/S0605) performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system. (Citation: Ben Hunter and Fred Gutierrez July 2020)", + "relationship_type": "uses", + "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1e6da55a-ab6c-4583-9e20-583f82096497", + "created": "2022-09-26T14:40:01.334Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:49:58.047Z", + "description": "Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "type": "relationship", "id": "relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042", @@ -20091,18 +11549,795 @@ }, { "type": "relationship", - "id": "relationship--79324bdd-cdab-4d0a-af60-af1047c1d117", + "id": "relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e", + "created": "2023-09-28T21:12:25.345Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:12:25.345Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:56:06.055Z", + "description": "Monitor for alike file hashes or characteristics (ex: filename) that are created on multiple hosts. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1f785984-791e-4612-be32-9ee6903a9c0b", + "created": "2022-09-28T20:26:09.928Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.433Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can login to Omron PLCs using hardcoded credentials, which is documented in CVE-2022-34151.(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:34:32.554Z", + "description": "Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1f87378c-49fb-4da5-8ed3-3672633d3713", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.123Z", + "relationship_type": "mitigates", + "description": "Regularly scan the internal network for available services to identify new and potentially vulnerable services.\n", + "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--1f8abf6f-0dd0-4449-b555-733fe7296177", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:24:19.351Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System. (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.235Z", + "relationship_type": "mitigates", + "description": "Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls. Implement strict IAM controls to prevent access to systems except for the applications, users, and services that require access. Implement user accounts for each individual for enforcement and non-repudiation of actions.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8", + "created": "2023-09-29T17:09:59.595Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:09:59.595Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Tom Fakterman August 2019", + "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:03:36.379Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) initially executes when the user clicks on a JavaScript file included in the phishing emails .zip attachment. (Citation: Tom Fakterman August 2019)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3", + "created": "2023-09-28T19:54:37.802Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:54:37.802Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459", + "created": "2022-09-23T16:35:17.240Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:34:31.627Z", + "description": "Consult asset management systems which may help with the detection of computer systems or network devices that should not exist on a network.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2057ec71-a94f-49cc-b348-2eeb44899afd", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T18:40:20.312Z", + "description": "Monitor for changes made to a large quantity of files for unexpected modifications in both user directories and directories used to store programs and OS components (e.g., C:\\Windows\\System32). ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--206cc4c8-797e-427b-86f1-4c81df391c6e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.224Z", + "relationship_type": "mitigates", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b", + "created": "2023-03-30T19:26:19.782Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Industroyer2 Mandiant April 2022", + "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", + "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks" + }, + { + "source_name": "Industroyer2 Forescout July 2022", + "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", + "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-06T22:09:28.674Z", + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) can iterate across a device’s IOAs to modify the ON/OFF value of a given IO state.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)", + "relationship_type": "uses", + "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.094Z", + "relationship_type": "mitigates", + "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--208fe57b-cf2e-4188-8a6f-77597cd60351", + "created": "2023-09-29T17:44:43.317Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:44:43.317Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.084Z", + "relationship_type": "mitigates", + "description": "If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.\n", + "source_ref": "course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--20f66fab-7a08-4707-ac79-92dac5acd11d", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:00:13.772Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006)'s code is stored in OB9999. The original code on the target is untouched. The OB is automatically detected by the PLC and executed. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--21041206-da58-45c7-adb0-db07caebdcb6", + "created": "2021-04-13T12:36:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:00:27.700Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) uses the system function blocks TCON and TDISCON to initiate and destroy TCP connections to arbitrary systems. Buffers may be sent and received on these connections with TRCV und TSEND system function blocks. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--21058f32-3d6e-4381-9288-5c2248e84cce", + "created": "2023-09-29T18:44:27.240Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:44:27.240Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--21134484-2d59-46b7-b878-527121fff1e3", + "created": "2022-09-26T14:28:17.209Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:28:17.209Z", + "description": "Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4", + "created": "2023-09-28T19:44:53.873Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:44:53.873Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--21470001-67f2-47cf-af21-784e5024ac1d", + "created": "2023-09-29T18:01:22.023Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:01:22.023Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--214eb531-411c-4b90-9dbf-dc0183cbb919", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:34:19.403Z", + "description": "Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2159458f-87fc-4479-81f4-a2521a378221", + "created": "2023-09-28T21:22:09.790Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:22:09.790Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--21aa6331-3419-4049-b180-8349b71e1f2a", + "created": "2023-09-28T21:11:03.947Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:11:03.947Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.089Z", + "relationship_type": "mitigates", + "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to impact data storage. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--220140ac-d927-4d86-9335-c04aa6ee3c61", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.126Z", + "relationship_type": "mitigates", + "description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Consider a jump server or host into the DMZ for greater access control. Leverage this DMZ or corporate resources for vendor access. (Citation: Keith Stouffer May 2015)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--22448288-32d9-4d2c-be16-0784e119fff1", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2023-03-08T22:25:35.287Z", + "modified": "2023-03-08T22:26:11.066Z", "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--22548926-29b4-4882-9878-633375489c0e", + "created": "2023-09-28T20:30:50.842Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:30:50.842Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2289f005-7863-4af5-b681-cdfc03d3f111", + "created": "2023-09-29T18:56:08.414Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:56:08.414Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET", + "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:10:58.645Z", + "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) can collect AutoCad files with drawings. These drawings may contain operational information. (Citation: ESET)\n", + "relationship_type": "uses", + "source_ref": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--22ba5443-ea49-4076-a666-722eb5352f70", + "created": "2023-09-28T20:02:45.697Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:02:45.697Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--232c7049-7609-46a9-8bbe-38672713f853", + "created": "2023-09-28T21:15:32.371Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:15:32.371Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49", + "created": "2023-09-29T16:43:53.940Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:43:53.940Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--234da455-b795-4788-bc5d-22b4b58b2dc7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.212Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Microsoft Security Response Center August 2017", + "description": "Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ", + "url": "https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/" + }, + { + "source_name": "Wikipedia", + "description": "Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ", + "url": "https://en.wikipedia.org/wiki/Control-flow_integrity" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:19:12.382Z", + "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", @@ -20113,18 +12348,215 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343", + "id": "relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.216Z", + "modified": "2022-05-06T17:47:24.138Z", "relationship_type": "mitigates", - "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "description": "Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n", + "source_ref": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", + "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", + "external_references": [ + { + "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", + "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", + "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" + } + ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.169Z", + "relationship_type": "mitigates", + "description": "Systems and devices should restrict access to any data with potential confidentiality concerns, including point and tag information.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07", + "created": "2023-09-28T20:25:47.357Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:25:47.357Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--245c8c36-28e5-4508-a585-7768cb33299a", + "created": "2023-03-10T20:06:10.209Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:06:10.209Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the system over radio.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--24885921-734f-46c1-85d7-3f79e0b886d6", + "created": "2023-09-27T14:51:18.262Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.257Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet gateways with custom firmware to make systems either disabled, shutdown, and/or unrecoverable. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5", + "created": "2023-09-29T17:07:55.738Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:07:55.738Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe", + "created": "2023-09-28T20:10:06.838Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:10:06.838Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--250212f0-a149-4a14-af83-94f7fcedc021", + "created": "2023-09-28T20:26:29.934Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:26:29.934Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--25281488-be20-4d83-89d1-1da7ea836037", + "created": "2023-09-29T17:40:47.898Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:40:47.898Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3", + "created": "2023-03-30T18:57:21.754Z", + "revoked": false, + "external_references": [ + { + "source_name": "Kevin Savage and Branko Spasojevic", + "description": "Kevin Savage and Branko Spasojevic W32.Flamer Retrieved. 2019/11/03 ", + "url": "https://web.archive.org/web/20190930124504/https://www.symantec.com/security-center/writeup/2012-052811-0308-99" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T18:57:21.754Z", + "description": "[Flame](https://attack.mitre.org/software/S0143) has built-in modules to gather information from compromised computers. (Citation: Kevin Savage and Branko Spasojevic)", + "relationship_type": "uses", + "source_ref": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -20164,35 +12596,127 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "type": "relationship", + "id": "relationship--26254163-4f25-4d30-8456-ca093459ff32", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "relationship", - "id": "relationship--4966e63c-ca05-466d-91f9-41d799a54471", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-12T18:59:17.429Z", - "modified": "2022-05-06T17:47:24.186Z", - "relationship_type": "mitigates", - "description": "Provide privileges corresponding to the restriction of a GUI session to control system operations (examples include HMI read-only vs. read-write modes). Ensure local users, such as operators and engineers, are giving prioritization over remote sessions and have the authority to regain control over a remote session if needed. Prevent remote access sessions (e.g., RDP, VNC) from taking over local sessions, especially those used for ICS control, especially HMIs.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "modified": "2022-10-14T16:32:29.856Z", + "description": "Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d", + "created": "2022-09-26T16:16:21.749Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:16:21.749Z", + "description": "Monitor applications logs for any access attempts to operational databases (e.g., historians) or other sources of operational data within the ICS environment. These devices should be monitored for adversary collection using techniques relevant to the underlying technologies (e.g., Windows, Linux).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7", + "created": "2023-03-10T20:34:25.450Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T22:05:00.124Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary disabled alarms at four pumping stations, preventing notifications to the central computer.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--26d68f5d-6ee5-4d98-b175-943366ccc038", + "created": "2020-10-14T21:33:27.046Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos October 2018", + "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:54:09.871Z", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) uses the MS-SQL server xp_cmdshell command, and PowerShell to execute commands. (Citation: Dragos October 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--26e58427-a2bd-4e77-9939-16ef60a072e7", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:49:04.746Z", + "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--18ef2d69-d11a-4d31-a803-da989c4073f7", + "id": "relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.096Z", + "modified": "2022-05-06T17:47:24.170Z", "relationship_type": "mitigates", - "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", + "description": "Restrict root or administrator access on user accounts to limit the ability to capture promiscuous traffic on a network through common packet capture tools. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", "external_references": [ { "source_name": "National Institute of Standards and Technology April 2013", @@ -20206,128 +12730,28 @@ }, { "type": "relationship", - "id": "relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--274994e7-1fe9-463a-9979-46c72107bf9b", + "created": "2023-03-30T18:56:47.685Z", "revoked": false, "external_references": [ { - "source_name": "DHS CISA February 2019", - "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + "source_name": "ESET", + "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T18:25:44.864Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) communicates with Triconex controllers using a custom component framework written entirely in Python. The modules that implement the TriStation communication protocol and other supporting components are found in a separate file -- library.zip -- the main script that employs this functionality is compiled into a standalone py2exe Windows executable -- trilog.exe which includes a Python environment. (Citation: DHS CISA February 2019)", + "modified": "2023-03-30T18:56:47.685Z", + "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from infected systems. (Citation: ESET)", "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--65adbdda-7069-40ed-9825-b79ec87e4916", - "type": "relationship", - "created": "2021-09-21T15:47:37.522Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "IBM Ransomware Trends September 2020", - "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/", - "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021." - }, - { - "source_name": "CrowdStrike Carbon Spider August 2021", - "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", - "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021." - }, - { - "source_name": "FBI Flash FIN7 USB", - "url": "https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/", - "description": "The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022." - } - ], - "modified": "2022-01-14T17:29:16.633Z", - "description": "(Citation: IBM Ransomware Trends September 2020)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: FBI Flash FIN7 USB)", - "relationship_type": "uses", - "source_ref": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "target_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.111Z", - "relationship_type": "mitigates", - "description": "Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application. (Citation: Karen Scarfone; Paul Hoffman September 2009)\n", - "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", - "external_references": [ - { - "source_name": "Karen Scarfone; Paul Hoffman September 2009", - "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", - "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--baf7daf3-2116-4051-91b5-f82e146167d0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.235Z", - "relationship_type": "mitigates", - "description": "Routinely audit source code, application configuration files, open repositories, and public cloud storage for insecure use and storage of credentials.\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--0d4f2f88-e176-42c7-8258-52b345045662", - "created": "2022-09-28T20:29:51.844Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "CISA-AA22-103A", - "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T15:17:08.493Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely send commands to a malicious agent uploaded on Omron PLCs over HTTP or HTTPS.(Citation: CISA-AA22-103A) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "source_ref": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", "x_mitre_deprecated": false, "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { @@ -20335,19 +12759,19 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7", + "id": "relationship--276aa6a6-e700-470a-8f72-02537ba7be9d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T11:15:26.506Z", - "modified": "2022-05-06T17:47:24.154Z", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.128Z", "relationship_type": "mitigates", - "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n", + "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "external_references": [ { - "source_name": "IEC February 2019", - "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", - "url": "https://webstore.iec.ch/publication/34421" + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", @@ -20356,91 +12780,8 @@ }, { "type": "relationship", - "id": "relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", - "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", - "url": "https://www.f-secure.com/weblog/archives/00002718.html" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:20:08.002Z", - "description": "Using OPC, a component of [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) gathers any details about connected devices and sends them back to the C2 for the attackers to analyze. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", - "relationship_type": "uses", - "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-08T22:23:59.758Z", - "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "relationship_type": "mitigates", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:55:14.825Z", - "description": "Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f145b7e5-048b-46e7-8439-e2b88917523c", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:48:47.595Z", - "description": "Monitor alarms for information about when an operating mode is changed, although not all devices produce such logs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00", - "created": "2022-09-28T20:25:51.024Z", + "id": "relationship--2867f491-919b-463f-b689-bb3ceb7ae99f", + "created": "2022-09-28T20:31:07.486Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ @@ -20463,11 +12804,11 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-13T16:53:47.448Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can wipe the memory of Omron PLCs and reset settings through the remote HTTP service.(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream)(Citation: Wylie-22) ", + "modified": "2022-10-13T16:53:47.434Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to remotely connect to Schneider PLCs and perform maintenance functions on the device.(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can use Telnet to upload payloads and execute commands on Omron PLCs.\t(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream) The malware can also use HTTP-based CGI scripts (e.g., cpu.fcgi, ecat.fcgi) to gain administrative access to the device.(Citation: Wylie-22) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", @@ -20475,18 +12816,44 @@ }, { "type": "relationship", - "id": "relationship--1acccbe8-64e1-49ad-87df-215d5c87f050", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad", + "created": "2023-09-29T18:05:32.443Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:42:43.105Z", - "description": "Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "modified": "2023-09-29T18:05:32.443Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:10:43.996Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -20494,30 +12861,587 @@ }, { "type": "relationship", - "id": "relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444", - "created": "2017-05-31T21:33:27.074Z", + "id": "relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e", + "created": "2023-09-28T21:26:47.115Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:26:47.115Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--296375b0-817d-4f42-afe1-4308f5edf973", + "created": "2023-09-28T21:10:25.193Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:10:25.193Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2971151c-0e8a-4567-84dc-01cf5dd35005", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.199Z", + "relationship_type": "mitigates", + "description": "Digital signatures may be used to ensure application DLLs are authentic prior to execution.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--29b85313-645b-4fb1-b5c2-f580d111760b", + "created": "2022-09-26T19:38:04.844Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:36:50.910Z", + "description": "Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of \"0\" indicates LLMNR is disabled.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81", + "created": "2023-09-29T18:46:39.854Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:46:39.854Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2a451896-81aa-4eed-a444-4d04661adeeb", + "created": "2023-09-29T16:43:42.911Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:43:42.911Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe", + "created": "2023-09-28T19:38:46.361Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:38:46.361Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.127Z", + "relationship_type": "mitigates", + "description": "Once an adversary has access to a remote GUI they can abuse system features, such as required HMI functions.\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1", + "created": "2023-09-29T18:46:54.684Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:46:54.684Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2c79920a-f2d1-4114-a1df-924835da645c", + "created": "2023-09-28T19:53:00.672Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:53:00.672Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.071Z", + "relationship_type": "mitigates", + "description": "Provide an alternative method for sending critical report messages to operators, this could include using radio/cell communication to obtain messages from field technicians that can locally obtain telemetry and status data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.150Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919", + "created": "2022-09-27T16:30:41.482Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:30:41.482Z", + "description": "Monitor device management protocols for functions that modify programs such as online edit and program append events.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2", + "created": "2023-09-29T16:33:12.887Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:33:12.887Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:02:57.267Z", + "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.126Z", + "relationship_type": "mitigates", + "description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.\n", + "source_ref": "course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe", + "created": "2023-09-29T17:39:15.857Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:39:15.857Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2e0769d7-088e-45d5-a262-6dbc91a95073", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:51:31.992Z", + "description": "Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a", + "created": "2023-09-28T19:40:51.425Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:40:51.425Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:10:53.087Z", + "description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.220Z", + "relationship_type": "mitigates", + "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.173Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8", + "created": "2023-09-28T20:02:05.365Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:02:05.365Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f", + "created": "2023-09-27T14:47:29.337Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", - "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ", - "url": "https://securelist.com/bad-rabbit-ransomware/82851/" + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + }, + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T17:30:30.761Z", - "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)", + "modified": "2023-10-04T17:03:24.258Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used valid accounts to laterally move through VPN connections and dual-homed systems. Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)", "relationship_type": "uses", - "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "type": "relationship", + "id": "relationship--2f457bef-1721-4e0f-b236-24e4652a31b4", + "created": "2023-09-29T16:29:53.181Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:29:53.181Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.201Z", + "relationship_type": "mitigates", + "description": "Execution prevention may prevent malicious scripts from accessing protected resources.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.240Z", + "relationship_type": "mitigates", + "description": "Reduce the range of RF communications to their intended operating range when possible. Propagation reduction methods may include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n", + "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", + "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", + "external_references": [ + { + "source_name": "DHS National Urban Security Technology Laboratory April 2019", + "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", + "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50", + "created": "2023-09-28T20:30:21.865Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:30:21.865Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-14T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.226Z", + "relationship_type": "mitigates", + "description": "Consider implementing full disk encryption, especially if engineering workstations are transient assets that are more likely to be lost, stolen, or tampered with. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "relationship", "id": "relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0", @@ -20546,148 +13470,40 @@ }, { "type": "relationship", - "id": "relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9", + "created": "2023-09-28T19:43:28.167Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T18:41:15.273Z", - "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--665587ee-1524-4334-9580-2b448c417542", - "created": "2023-03-30T19:26:07.209Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Industroyer2 Mandiant April 2022", - "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", - "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks" - }, - { - "source_name": "Industroyer2 Forescout July 2022", - "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", - "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-04-06T22:09:44.559Z", - "description": "[Industroyer2](https://attack.mitre.org/software/S1072) modifies specified Information Object Addresses (IOAs) for specified Application Service Data Unit (ASDU) addresses to either the ON or OFF state.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)", - "relationship_type": "uses", - "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "modified": "2023-09-28T19:43:28.167Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_deprecated": false, "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--366a4cd1-aa95-4985-9d80-b45a2551e298", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.179Z", - "relationship_type": "mitigates", - "description": "Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--c4122b58-f1b2-4656-a715-55016700bf75", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:56:39.825Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) automatically collects protocol object data to learn about control devices in the environment. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--07f4d65d-4572-450f-8cb2-908fee97bd67", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.228Z", - "relationship_type": "mitigates", - "description": "Application control may be able to prevent the running of executables masquerading as other files.\n", - "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.169Z", - "relationship_type": "mitigates", - "description": "Systems and devices should restrict access to any data with potential confidentiality concerns, including point and tag information.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--2fe222c4-cc81-473d-956e-235e2961a5c3", + "created": "2023-09-29T17:04:26.769Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T19:44:27.451Z", - "description": "Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "modified": "2023-09-29T17:04:26.769Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { @@ -20695,336 +13511,93 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b", + "id": "relationship--2ff82993-5010-4450-89e7-341f449f3263", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.088Z", + "modified": "2022-05-06T17:47:24.092Z", "relationship_type": "mitigates", - "description": "Minimize permissions and access for service accounts to limit the information that may be impacted by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--7411b05d-209a-4907-83ce-00ab1538fbac", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.084Z", - "relationship_type": "mitigates", - "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", - "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", - "external_references": [ - { - "source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", - "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", - "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f", - "created": "2021-10-08T15:42:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos Inc. June 2017", - "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", - "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:01:24.078Z", - "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) establishes an internal proxy prior to the installation of backdoors within the network. (Citation: Dragos Inc. June 2017)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--65a45501-10de-46a2-89bf-03bbf17aba33", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.166Z", - "relationship_type": "mitigates", - "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", + "description": "Consider periodic reviews of accounts and privileges for critical and sensitive repositories.\n", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, - { - "type": "relationship", - "id": "relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:57:47.375Z", - "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--1c831708-28c2-47ae-a158-39f1f7b73406", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-29T20:10:57.573Z", - "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.(Citation: Anton Cherepanov, ESET June 2017)\n\n[Industroyer](https://attack.mitre.org/software/S0604) contains an OPC DA module that enumerates all OPC servers using the `ICatInformation::EnumClassesOfCategories` method with `CATID_OPCDAServer20` category identifier and `IOPCServer::GetStatus` to identify the ones running.", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2", + "id": "relationship--2fffbea8-c031-4de8-a451-447bbbe3e224", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-12T18:59:17.429Z", - "modified": "2022-05-06T17:47:24.189Z", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.201Z", "relationship_type": "mitigates", - "description": "Filter application-layer protocol messages for remote services to block any unauthorized activity.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "description": "Consider the use of application isolation and sandboxing to restrict specific operating system interactions such as access through user accounts, services, system calls, registry, and network access. This may be even more useful in cases where the source of the executed script is unknown.\n", + "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--305866af-1f36-49e0-a57d-d5faaf29011c", + "created": "2023-09-28T20:34:52.740Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T20:51:43.487Z", - "description": "Monitor for unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b346eec8-de90-407c-b665-387086bb4553", - "created": "2022-09-29T01:36:02.223Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - }, - { - "source_name": "Brubaker-Incontroller", - "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", - "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.444Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to upload programs from Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can obtain existing program logic from Omron PLCs by using either the program upload or backup functions available through the HTTP server.(Citation: Wylie-22) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "modified": "2023-09-28T20:34:52.740Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", "x_mitre_deprecated": false, "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--309e4558-e591-4d03-9bb9-07d30acf011f", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "McAfee Labs October 2019", + "description": "McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:04:11.691Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) searches for all processes listed in the prc field within its configuration file and then terminates each process. (Citation: McAfee Labs October 2019)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--a2142552-6b8d-4751-a3d4-1471420c02fc", + "id": "relationship--31203165-79d0-42e5-81f1-62150dea2c43", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:15:48.476Z", - "description": "Monitor for newly constructed network connections into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. Monitor network connections involving common remote management protocols, such as ports tcp:3283 and tcp:5900, as well as ports tcp:3389 and tcp:22 for remote logins. The adversary may use [Valid Accounts](https://attack.mitre.org/techniques/T0859) to enable remote logins.", + "modified": "2022-10-14T16:16:37.643Z", + "description": "Monitor network data for uncommon data flows (e.g., time of day, unusual source/destination address) that may be related to abuse of [Valid Accounts](https://attack.mitre.org/techniques/T0859) to log into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.102Z", - "relationship_type": "mitigates", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--a04169ed-c16b-466b-80ef-22a11067f475", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:54:58.401Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of view. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--dc15440d-6683-435a-8c87-64daea29bcaa", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:01:03.550Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked command messages by using malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.139Z", - "relationship_type": "mitigates", - "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", - "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", - "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", - "external_references": [ - { - "source_name": "M. Rentschler and H. Heine", - "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", - "url": "https://ieeexplore.ieee.org/document/6505877" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026", - "created": "2021-10-08T15:25:32.143Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:20:42.055Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_deprecated": false, "x_mitre_version": "1.0", @@ -21033,46 +13606,136 @@ }, { "type": "relationship", - "id": "relationship--052552e9-eac0-4b37-9df8-2e921053e305", - "created": "2023-03-30T19:05:17.003Z", + "id": "relationship--31897c41-1d47-4a34-b531-21c3f74651a8", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:00:39.796Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) utilizes the PLC communication and management API to load executable Program Organization Units. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Eduard Kovacs March 2018", + "description": "Eduard Kovacs 2018, March 1 Five Threat Groups Target Industrial Systems: Dragos Retrieved. 2020/01/03 ", + "url": "https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos" + }, + { + "source_name": "Novetta Threat Research Group February 2016", + "description": "Novetta Threat Research Group 2016, February 24 Operation Blockbuster: Unraveling the Long Thread of the Sony Attack Retrieved. 2016/02/25 ", + "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:15:30.732Z", + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has been observed targeting organizations using spearphishing documents with embedded malicious payloads. (Citation: Novetta Threat Research Group February 2016) Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company. (Citation: Eduard Kovacs March 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a", + "created": "2023-10-02T20:18:11.933Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2023-03-30T19:05:17.003Z", - "description": "Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (e.g., .pdf, .docx, .jpg, .dwg ) or local databases.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", - "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "modified": "2023-10-02T20:18:11.933Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", "x_mitre_deprecated": false, "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "type": "relationship", + "id": "relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce", + "created": "2023-09-28T21:16:44.471Z", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "relationship", - "id": "relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605", + "modified": "2023-09-28T21:16:44.471Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.089Z", - "relationship_type": "mitigates", - "description": "Utilize central storage servers for critical operations where possible (e.g., historians) and keep remote backups. For outstations, use local redundant storage for event recorders. Have backup control system platforms, preferably as hot-standbys to respond immediately to data destruction events. (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--321fc522-bc6b-4975-bee4-9098624d1e8c", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "modified": "2022-09-26T16:32:18.815Z", + "description": "Monitor for network traffic originating from unknown/unexpected devices or addresses. Local network traffic metadata could be used to identify unexpected connections, including unknown/unexpected source MAC addresses connecting to ports associated with operational protocols. Also, network management protocols such as DHCP and ARP may be helpful in identifying unexpected devices. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5", + "created": "2023-09-28T20:26:15.542Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:26:15.542Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", @@ -21100,24 +13763,210 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "type": "relationship", + "id": "relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b", + "created": "2023-09-28T21:21:07.833Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:21:07.833Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b", + "created": "2023-09-28T20:10:23.215Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:10:23.215Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--32d15d1a-04ba-4035-907a-e2871425e8d1", + "created": "2023-09-28T20:28:40.722Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:28:40.722Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--ea817c7a-9424-4204-90a5-6f8fb86037be", + "id": "relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.230Z", + "modified": "2022-05-06T17:47:24.130Z", "relationship_type": "mitigates", - "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n", - "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Steps should be taken to periodically inventory internet accessible devices to determine if it differs from the expected.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3334e647-fd5d-481d-a7f9-66f73911a57a", + "created": "2023-09-28T19:45:30.291Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:45:30.291Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.092Z", + "relationship_type": "mitigates", + "description": "Review vendor documents and security alerts for potentially unknown or overlooked default credentials within existing devices\n", + "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7", + "created": "2023-09-29T16:47:08.696Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:47:08.696Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5", + "created": "2023-09-29T18:07:41.540Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:07:41.540Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3439d550-61d5-40b4-a514-341509d3f701", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:08:28.052Z", + "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3471632d-253d-469e-9e8c-3b291b4ae88a", + "created": "2023-09-28T21:14:15.274Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:14:15.274Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3478c49c-594b-4224-b7f9-2b0b09c67288", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.239Z", + "relationship_type": "mitigates", + "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications. (Citation: Bastille April 2017)\n", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "external_references": [ { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + "source_name": "Bastille April 2017", + "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", + "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack" } ], "x_mitre_attack_spec_version": "2.1.0", @@ -21125,26 +13974,207 @@ "x_mitre_version": "1.0" }, { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "type": "relationship", - "id": "relationship--84e535be-960a-450a-91f9-4dc8c5e3f69d", - "created": "2021-04-11T14:06:54.109Z", + "id": "relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T11:15:26.506Z", + "modified": "2022-05-06T17:47:24.156Z", + "relationship_type": "mitigates", + "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.168Z", + "relationship_type": "mitigates", + "description": "Segment networks and systems appropriately to reduce access to critical system and services communications.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a", + "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + "source_name": "FireEye TRITON", + "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \"TRITON\" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" + }, + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T16:56:37.468Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized HMI GUIs in the SCADA environment to open breakers. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "modified": "2022-09-29T20:49:30.525Z", + "description": "[Triton](https://attack.mitre.org/software/S1009)'s injector, inject.bin, masquerades as a standard compiled PowerPC program for the Tricon. (Citation: DHS CISA February 2019)\n\n[Triton](https://attack.mitre.org/software/S1009) was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs.(Citation: FireEye TRITON)", "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--351e19c4-c16e-493a-9800-a433107aacf1", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:24:36.935Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502. (Citation: DHS CISA February 2019)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3526acc8-8834-4aaa-87a5-51e587360cf5", + "created": "2023-09-29T18:45:47.394Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:45:47.394Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--352ed52c-88ba-4731-a917-4c33da0f29d4", + "created": "2023-09-27T14:44:00.588Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Andy Greenberg June 2017", + "description": "Andy Greenberg. (2017, June 28). How an Entire Nation Became Russia's Test Lab for Cyberwar. Retrieved September 27, 2023.", + "url": "https://www.wired.com/story/russian-hackers-attack-ukraine/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-27T15:19:15.124Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used an IT helpdesk software to move the mouse on ICS control devices to maliciously release electricity breakers. (Citation: Andy Greenberg June 2017)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T16:43:32.737Z", + "description": "Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3618a010-b94b-4974-b1be-7630d5c853c1", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Robert Falcone, Bryan Lee May 2016", + "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", + "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:31:19.923Z", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) used spearphishing emails with malicious Microsoft Excel spreadsheet attachments. (Citation: Robert Falcone, Bryan Lee May 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:55:14.211Z", + "description": "Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads. For added context on adversary procedures and background see [User Execution](https://attack.mitre.org/techniques/T1204) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -21154,29 +14184,1091 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "id": "relationship--e9f5096e-b9fc-459a-a303-88763b1269cc", "type": "relationship", - "created": "2020-05-14T14:41:42.975Z", + "id": "relationship--366a4cd1-aa95-4985-9d80-b45a2551e298", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", - "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", - "source_name": "FireEye FIN6 Apr 2019" - } + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.179Z", + "relationship_type": "mitigates", + "description": "Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d", + "created": "2023-09-28T20:29:27.153Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2020-05-15T19:15:35.568Z", - "description": "(Citation: FireEye FIN6 Apr 2019)", - "relationship_type": "uses", - "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", - "x_mitre_version": "1.0", + "modified": "2023-09-28T20:29:27.153Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e", - "created": "2022-09-28T21:21:58.641Z", + "id": "relationship--37048032-b41d-47d8-9c73-7b706bef24d1", + "created": "2023-09-28T20:27:58.625Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:27:58.625Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be", + "created": "2023-09-28T21:13:36.185Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:13:36.185Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3731962f-64e7-4750-ac8b-40b97eef8725", + "created": "2023-09-29T16:41:15.943Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:41:15.943Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--374837a0-6109-4c95-bee6-893b25ac71cf", + "created": "2023-09-28T21:13:12.715Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:13:12.715Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:43:54.996Z", + "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--37abb3d5-24fc-4397-844e-07548d324729", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:32:20.552Z", + "description": "Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2", + "created": "2023-09-29T16:31:46.749Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:31:46.749Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--383e242a-72d4-4b40-8905-888595c34919", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Kelly Jackson Higgins", + "description": "Kelly Jackson Higgins How a Manufacturing Firm Recovered from a Devastating Ransomware Attack Retrieved. 2019/11/03 ", + "url": "https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:20:20.608Z", + "description": "An enterprise resource planning (ERP) manufacturing server was lost to the [Ryuk](https://attack.mitre.org/software/S0446) attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open. (Citation: Kelly Jackson Higgins)", + "relationship_type": "uses", + "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3843dcca-62a2-4224-9241-05f981fa880a", + "created": "2023-09-28T19:46:23.921Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:46:23.921Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:32:41.938Z", + "description": "Monitor for newly constructed files copied to or from removable media.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--38bda770-c470-4358-a9ad-a5b39bec026b", + "created": "2023-09-29T16:28:28.550Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:28:28.550Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--39452123-574f-4f3a-95ec-a90170a3d7eb", + "created": "2023-10-02T20:20:44.850Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:20:44.850Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--399126a9-815d-4c3b-9d5e-f57d698ac742", + "created": "2023-09-28T19:40:36.023Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:40:36.023Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--39963a04-9675-4fa4-87ea-1b34145cc569", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Elastic - Koadiac Detection with EQL", + "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.", + "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:51:44.656Z", + "description": "Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe , especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--39e5a489-f557-4130-a285-e0a82f40685c", + "created": "2023-09-28T19:46:38.112Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:46:38.112Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584", + "created": "2023-09-28T19:40:21.763Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:40:21.763Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974", + "created": "2023-09-29T18:56:47.109Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:56:47.110Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:23:59.758Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca", + "created": "2023-09-28T19:44:37.687Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:44:37.687Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3a7d1db3-9383-4171-8938-382e9b0375c6", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:36:37.304Z", + "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) uses HTTP POST request to contact external command and control servers. (Citation: Booz Allen Hamilton)\n", + "relationship_type": "uses", + "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea", + "created": "2023-09-28T21:15:18.036Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:15:18.036Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:11:14.662Z", + "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.237Z", + "relationship_type": "mitigates", + "description": "Do not inherently rely on the authenticity provided by the network/link layer (e.g., 802.11, LTE, 802.15.4), as link layer equipment may have long lifespans and protocol vulnerabilities may not be easily patched. Provide defense-in-depth by implementing authenticity within the associated application-layer protocol, or through a network-layer VPN. (Citation: CISA March 2010) Furthermore, ensure communication schemes provide strong replay protection, employing techniques such as timestamps or cryptographic nonces.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "external_references": [ + { + "source_name": "CISA March 2010", + "description": "CISA 2010, March 11 https://us-cert.cisa.gov/ncas/tips/ST05-003 Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/ncas/tips/ST05-003" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35", + "created": "2023-09-28T19:43:15.817Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:43:15.817Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3b6567a9-6213-4db4-a069-1a86b1098b63", + "created": "2021-04-13T12:08:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Microsoft Security Response Center August 2017", + "description": "Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ", + "url": "https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/" + }, + { + "source_name": "Wikipedia", + "description": "Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ", + "url": "https://en.wikipedia.org/wiki/Control-flow_integrity" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:18:50.929Z", + "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688", + "created": "2023-09-28T19:53:33.603Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:53:33.603Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2", + "created": "2023-10-02T20:22:15.907Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:22:15.908Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:52:05.598Z", + "description": "The name of the [Industroyer](https://attack.mitre.org/software/S0604) payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoors execute a shell command commands. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.216Z", + "relationship_type": "mitigates", + "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:57:59.240Z", + "description": "Monitor for known proxy protocols (e.g., SOCKS, Tor, peer-to-peer protocols) and tool usage (e.g., Squid, peer-to-peer software) on the network that are not part of normal operations. Also monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3c341d13-938e-4535-ac75-10a79abc7017", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:46:17.575Z", + "description": "Monitor for application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:11:30.678Z", + "description": "Monitor operational process data for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a", + "created": "2021-04-13T12:45:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:12:08.899Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) calls system function blocks which are part of the operating system running on the PLC. Theyre used to execute system tasks, such as reading the system clock (SFC1) and generating data blocks on the fly. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T18:41:15.273Z", + "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a", + "created": "2023-09-28T21:26:11.506Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:26:11.506Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:19:04.853Z", + "description": "Monitor logon activity for unexpected or unusual access to devices from the Internet.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3d676c1b-2650-4599-8a57-790c55f9977d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.109Z", + "relationship_type": "mitigates", + "description": "Minimize the exposure of API calls that allow the execution of code.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3da977ab-c863-4e6f-a5b7-68173160da00", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.166Z", + "relationship_type": "mitigates", + "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d", + "created": "2022-09-30T15:28:37.614Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-30T15:28:37.614Z", + "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5", + "created": "2023-09-29T17:05:08.346Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:05:08.346Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1", + "created": "2023-09-29T16:44:16.391Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:44:16.391Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.214Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41", + "created": "2022-09-26T19:30:14.122Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:15:05.195Z", + "description": "Monitor DLL file events, specifically creation of these files as well as the loading of DLLs into processes specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3ed98d8c-de30-499e-9a62-eae0207519f4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.092Z", + "relationship_type": "mitigates", + "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown default accounts which could be used to gain unauthorized access.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9", + "created": "2023-09-29T17:39:42.457Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:39:42.457Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.236Z", + "relationship_type": "mitigates", + "description": "Ensure wireless networks require the authentication of all devices, and that all wireless devices also authenticate network infrastructure devices (i.e., mutual authentication). For defense-in-depth purposes, utilize VPNs or ensure that application-layer protocols also authenticate the system or device. Use protocols that provide strong authentication (e.g., IEEE 802.1X), and enforce basic protections, such as MAC filtering, when stronger cryptographic techniques are not available.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:40:51.224Z", + "description": "Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572", + "created": "2018-04-18T17:59:24.739Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015", + "url": "https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf", + "description": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell 2015, December 08 A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin Retrieved. 2019/04/01 " + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network. (Citation: Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015)", + "modified": "2022-08-11T13:23:12.321Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe", + "created": "2023-09-28T21:17:18.201Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:17:18.201Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3fb86696-1d56-42d5-a73d-044a78b588fe", + "created": "2023-09-27T14:54:12.586Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-27T15:19:28.937Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet converter firmware, rendering the devices not operational. This meant that communication to the downstream serial devices was either not possible or more difficult. (Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa", + "created": "2023-09-28T20:27:43.727Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:27:43.727Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542", + "created": "2023-09-29T18:57:32.665Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:57:32.665Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c", + "created": "2022-09-28T21:16:28.195Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ @@ -21190,10 +15282,10 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "modified": "2022-10-13T16:53:47.435Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the HTTP CGI scripts on Omron PLCs to modify parameters on EtherCat connected servo drives.(Citation: Wylie-22) ", + "description": "The [INCONTROLLER](https://attack.mitre.org/software/S1045) PLCProxy module can add an IP route to the CODESYS gateway running on Schneider PLCs to allow it to route messages through the PLC to other devices on that network. This allows the malware to bypass firewall rules that prevent it from directly communicating with devices on the same network as the PLC.(Citation: Wylie-22)", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", @@ -21201,7 +15293,385 @@ }, { "type": "relationship", - "id": "relationship--dda89758-9d0b-446d-b594-85acc7f9cb90", + "id": "relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4", + "created": "2023-09-29T18:05:42.611Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:05:42.611Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--40f63b01-dc59-475d-826a-74f38c6e81b9", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:38:28.550Z", + "description": "Host-based implementations of this technique may utilize networking-based system calls or network utility commands (e.g., iptables) to locally intercept traffic. Monitor for relevant process creation events.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db", + "created": "2023-09-29T17:04:46.290Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:04:46.290Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.145Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.160Z", + "relationship_type": "mitigates", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d", + "created": "2023-09-28T19:58:43.542Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:58:43.542Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.187Z", + "relationship_type": "mitigates", + "description": "All communication sessions to remote services should be authenticated to prevent unauthorized access.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--423271c0-04dc-42d0-8e27-fb0b6067e096", + "created": "2023-09-27T14:59:43.382Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + }, + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.259Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), power breakers were opened which caused the operating companies to be unable to deliver power, and left thousands of businesses and households without power for around 6 hours. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--42508a8e-44d5-4af1-9e66-bace5fc94734", + "created": "2022-09-27T18:49:25.089Z", + "revoked": false, + "external_references": [ + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T18:49:25.089Z", + "description": "Monitor for mismatches between protocols and their expected ports (e.g., non-HTTP traffic on tcp:80). Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.178Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.185Z", + "relationship_type": "mitigates", + "description": "Ensure permissions restrict project file access to only engineer and technician user groups and accounts.\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b", + "created": "2023-09-28T19:58:54.450Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:58:54.450Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--43344cd7-5004-4dac-8b62-8899105fa265", + "created": "2023-09-29T18:47:20.334Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:47:20.334Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--433539bf-cb17-4de1-9c0f-e579b041514f", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Inc. June 2017", + "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", + "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:16:26.262Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) attempts to connect with a hardcoded internal proxy on TCP 3128 [default Squid proxy]. If established, the backdoor attempts to reach an external C2 server via the internal proxy. (Citation: Dragos Inc. June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4369da69-bb09-4cc8-8600-081a450f50e0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.120Z", + "relationship_type": "mitigates", + "description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:24:52.417Z", + "description": "Monitor device alarms for program downloads, although not all devices produce such alarms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--43bdf580-b98f-49cf-92d5-3dac50450c86", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.214Z", + "relationship_type": "mitigates", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T12:36:26.506Z", + "modified": "2022-05-06T17:47:24.166Z", + "relationship_type": "mitigates", + "description": "Minimize the exposure of API calls that allow the execution of code.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b", + "created": "2022-09-27T19:06:12.301Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T19:06:12.302Z", + "description": "A manipulated I/O image requires analyzing the application program running on the PLC for specific data block writes. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--44c857cf-7a4e-405a-87ca-7f6d79000589", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -21215,10 +15685,251 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-19T21:23:40.524Z", - "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "modified": "2022-10-19T21:22:38.490Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4508bdef-9528-47ae-804c-bc59d1e694e7", + "created": "2023-09-28T20:02:35.354Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:02:35.354Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--456ff399-4925-45d4-aa84-d930eae5348e", + "created": "2023-09-28T20:26:47.786Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:26:47.786Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f", + "created": "2023-10-02T20:22:02.539Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:22:02.539Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9", + "created": "2023-09-28T20:15:32.382Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:15:32.382Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--45ee1822-71e4-4d92-976d-306561b70555", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.106Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.073Z", + "relationship_type": "mitigates", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--4631bf49-da0b-4415-a226-112c99ff0f64", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:22:17.841Z", + "description": "Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For added context on adversary procedures and background see [Remote Services](https://attack.mitre.org/techniques/T1021) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--46332a77-2fd6-4033-96cf-6163172775ec", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.164Z", + "relationship_type": "mitigates", + "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--4653847b-c089-4435-9159-6f76353833f7", + "created": "2023-09-25T20:43:22.274Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:43:22.274Z", + "description": "All field controllers should restrict the modification of controller tasks to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf", + "created": "2023-09-29T16:42:20.944Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:42:20.944Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--46798892-d849-43fe-8147-b40cc9da291e", + "created": "2023-09-28T19:42:29.359Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:42:29.359Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Hydro", + "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", + "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" + }, + { + "source_name": "Kevin Beaumont", + "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", + "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:56:30.836Z", + "description": "While Norsk Hydro attempted to recover from a [LockerGoga](https://attack.mitre.org/software/S0372) infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity. (Citation: Kevin Beaumont)(Citation: Hydro)", + "relationship_type": "uses", + "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", "x_mitre_deprecated": false, "x_mitre_version": "1.0", @@ -21227,82 +15938,37 @@ }, { "type": "relationship", - "id": "relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0", - "created": "2022-05-11T16:22:58.803Z", + "id": "relationship--4768c731-3be9-44b8-a217-dfbececa57d9", + "created": "2023-09-29T18:06:22.868Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:06:22.868Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4", + "created": "2022-09-26T20:46:23.812Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T15:02:57.267Z", - "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", + "modified": "2022-10-14T16:30:58.676Z", + "description": "Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. ", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-08T22:27:54.588Z", - "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "relationship_type": "mitigates", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--042243fd-bfe0-4961-96de-a36232d3ff74", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Symantec Security Response July 2014", - "description": "Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08 ", - "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers#:~:text=The%20attackers%2C%20known%20to%20Symantec,supply%20in%20the%20affected%20countries." - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:04:03.547Z", - "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) or [Trojan.Karagany](https://attack.mitre.org/software/S0094). (Citation: Symantec Security Response July 2014)", - "relationship_type": "uses", - "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b5979643-fefb-460f-b59c-971efe95f121", - "created": "2022-09-27T16:57:48.758Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:42:28.408Z", - "description": "Monitor for changes made to services that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", @@ -21340,80 +16006,21 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--ad7770c3-fe24-4285-9ce2-1616a1061472", "type": "relationship", - "created": "2019-04-17T14:45:59.681Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", - "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", - "source_name": "FireEye FIN6 Apr 2019" - } - ], - "modified": "2019-06-28T14:59:17.849Z", - "description": "(Citation: FireEye FIN6 Apr 2019)", - "relationship_type": "uses", - "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--91f29477-2ff6-4dbf-bf68-c8825a938851", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T12:08:26.506Z", - "modified": "2022-05-06T17:47:24.119Z", - "relationship_type": "mitigates", - "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", - "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", - "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--3439d550-61d5-40b4-a514-341509d3f701", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--483719ad-c973-4210-b059-14e87dbd45f8", + "created": "2023-09-28T19:49:43.417Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T15:08:28.052Z", - "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a", - "created": "2022-09-29T14:27:05.757Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-29T14:27:05.757Z", - "description": "Monitor logon sessions for hardcoded credential use, when feasible.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "modified": "2023-09-28T19:49:43.417Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", "x_mitre_deprecated": false, "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -21422,47 +16029,52 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b", + "id": "relationship--48489baf-56c2-423e-964a-0a61688e4a19", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.228Z", + "modified": "2022-05-06T17:47:24.224Z", "relationship_type": "mitigates", - "description": "If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.\n", - "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.102Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--de8b8a69-5f08-421a-96f0-2bed5707508d", - "created": "2022-05-11T16:22:58.808Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--49242ea8-4813-49f7-8bd4-9668216cceeb", + "created": "2023-09-29T16:45:53.300Z", "revoked": false, - "external_references": [ - { - "source_name": "Nzyme Alerts Intro", - "description": "Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved September 26, 2022.", - "url": "https://www.nzyme.org/docs/alerts/intro" - }, - { - "source_name": "Wireless Intrusion Detection", - "description": "Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022.", - "url": "https://apps.dtic.mil/sti/pdfs/ADA466332.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T18:57:13.322Z", - "description": "New or irregular network traffic flows may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.(Citation: Nzyme Alerts Intro) (Citation: Wireless Intrusion Detection) Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "modified": "2023-09-29T16:45:53.300Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { @@ -21470,84 +16082,77 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104", + "id": "relationship--4966e63c-ca05-466d-91f9-41d799a54471", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.227Z", + "created": "2021-04-12T18:59:17.429Z", + "modified": "2022-05-06T17:47:24.186Z", "relationship_type": "mitigates", - "description": "Ensure anti-virus solution can detect malicious files that allow user execution (e.g., Microsoft Office Macros, program installers).\n", - "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "description": "Provide privileges corresponding to the restriction of a GUI session to control system operations (examples include HMI read-only vs. read-write modes). Ensure local users, such as operators and engineers, are giving prioritization over remote sessions and have the authority to regain control over a remote session if needed. Prevent remote access sessions (e.g., RDP, VNC) from taking over local sessions, especially those used for ICS control, especially HMIs.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--6603a100-d655-4e6b-8d38-73c11b89dde4", - "created": "2019-03-26T16:19:52.358Z", + "id": "relationship--4981a944-b3ad-4d78-9881-a17d458e3422", + "created": "2023-09-28T20:01:30.138Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:01:30.138Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8", + "created": "2023-03-31T17:44:19.711Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Joe Slowik April 2019", - "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", - "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T17:58:42.847Z", - "description": "[NotPetya](https://attack.mitre.org/software/S0368) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", + "modified": "2023-04-07T19:50:55.445Z", + "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used a VBS script to facilitate lateral tool transfer. The VBS script was used to copy ICS-specific payloads with the following command: `cscript C:\\Backinfo\\ufn.vbs C:\\Backinfo\\101.dll C:\\Delta\\101.dll`(Citation: Dragos Crashoverride 2018)", "relationship_type": "uses", - "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e", - "created": "2021-04-12T18:49:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Tom Fakterman August 2019", - "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", - "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:07:33.947Z", - "description": "[REvil](https://attack.mitre.org/software/S0496) utilizes JavaScript, WScript, and PowerShell scripts to execute. The malicious JavaScript attachment has an obfuscated PowerShell script that executes the malware. (Citation: Tom Fakterman August 2019)", - "relationship_type": "uses", - "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--63453d2f-30f6-40ab-b32c-506d940ecd20", + "id": "relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2023-03-08T22:25:01.756Z", - "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918)", + "modified": "2023-03-08T22:27:26.605Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", "relationship_type": "mitigates", "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.1.0", @@ -21555,66 +16160,18 @@ }, { "type": "relationship", - "id": "relationship--067932c3-0011-4ca2-9bbe-721c631e4e41", - "created": "2021-04-13T12:45:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", - "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", - "url": "https://www.f-secure.com/weblog/archives/00002718.html" - }, - { - "source_name": "ICS-CERT August 2018", - "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", - "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:19:04.571Z", - "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", - "relationship_type": "uses", - "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T12:08:26.506Z", - "modified": "2022-05-06T17:47:24.118Z", - "relationship_type": "mitigates", - "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", - "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", - "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--78972893-5d8c-480f-a05d-481adc0c8bb0", - "created": "2022-05-11T16:22:58.804Z", + "id": "relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2", + "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T16:12:25.316Z", - "description": "Monitor ICS automation network protocols for functions related to reading an asset’s operating mode. In some cases, there may be multiple ways to detect a device’s operating mode, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.", + "modified": "2022-10-14T19:37:44.970Z", + "description": "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible, to determine their actions and intent.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -21622,17 +16179,74 @@ }, { "type": "relationship", - "id": "relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59", - "created": "2022-09-26T17:08:21.214Z", + "id": "relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05", + "created": "2023-09-28T19:41:47.648Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T17:08:21.214Z", - "description": "Monitor device communication patterns to identify irregular bulk transfers of data between the embedded ICS asset and other nodes within the network. Note these indicators are dependent on the profile of normal operations and the capabilities of the industrial automation protocols involved (e.g., partial program uploads).", + "modified": "2023-09-28T19:41:47.648Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4a7340fc-0eec-4459-a491-952d736b79ef", + "created": "2023-09-28T19:50:42.505Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:50:42.505Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198", + "created": "2023-09-28T21:09:50.956Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:09:50.956Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4b57e41c-246f-44b3-b259-1811d5275e10", + "created": "2022-09-26T15:16:32.057Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:16:32.057Z", + "description": "Consult asset management systems to understand expected alarm settings.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", @@ -21641,102 +16255,184 @@ }, { "type": "relationship", - "id": "relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596", + "created": "2023-09-28T21:24:51.818Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:14:40.227Z", - "description": "Monitor executed commands and arguments to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may then perform these actions using [Valid Accounts](https://attack.mitre.org/techniques/T0859).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "modified": "2023-09-28T21:24:51.818Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "type": "relationship", + "id": "relationship--4b853b7c-bc55-4599-b88d-d08d651526c0", + "created": "2023-09-29T18:49:25.209Z", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "relationship", - "id": "relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84", + "modified": "2023-09-29T18:49:25.209Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.084Z", - "relationship_type": "mitigates", - "description": "If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.\n", - "source_ref": "course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a", + "id": "relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e", + "created": "2023-03-31T17:45:09.659Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.139Z", - "relationship_type": "mitigates", - "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "revoked": false, "external_references": [ { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" } ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "relationship", - "id": "relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.202Z", - "relationship_type": "mitigates", - "description": "Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n", - "source_ref": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "modified": "2023-04-07T17:51:39.294Z", + "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used MS-SQL access to a pivot machine, allowing code execution throughout the ICS network.(Citation: Dragos Crashoverride 2018)", + "relationship_type": "uses", + "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "type": "relationship", + "id": "relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12", + "created": "2023-09-28T19:59:23.856Z", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "relationship", - "id": "relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60", + "modified": "2023-09-28T19:59:23.856Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.236Z", - "relationship_type": "mitigates", - "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.\n", - "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", - "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--1f785984-791e-4612-be32-9ee6903a9c0b", - "created": "2022-09-28T20:26:09.928Z", + "id": "relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962", + "created": "2023-09-28T21:23:14.975Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:23:14.975Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Atlassian Confluence Logging", + "description": "Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.", + "url": "https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html" + }, + { + "source_name": "Microsoft SharePoint Logging", + "description": "Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.", + "url": "https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2" + }, + { + "source_name": "Sharepoint Sharing Events", + "description": "Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021.", + "url": "https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:13:08.567Z", + "description": "Monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents.(Citation: Microsoft SharePoint Logging) Sharepoint audit logging can also be configured to report when a user shares a resource.(Citation: Sharepoint Sharing Events) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter.(Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7", + "created": "2023-09-28T20:27:04.841Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:27:04.841Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4", + "created": "2023-09-28T21:28:11.821Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:28:11.821Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e", + "created": "2022-09-28T21:21:58.641Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ @@ -21749,135 +16445,190 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-13T16:53:47.433Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can login to Omron PLCs using hardcoded credentials, which is documented in CVE-2022-34151.(Citation: Wylie-22) ", + "modified": "2022-10-13T16:53:47.435Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the HTTP CGI scripts on Omron PLCs to modify parameters on EtherCat connected servo drives.(Citation: Wylie-22) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "type": "relationship", + "id": "relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5", + "created": "2023-09-29T18:02:38.399Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:02:38.399Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93", + "created": "2023-09-29T17:57:55.162Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:57:55.162Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9", + "created": "2023-09-28T20:09:53.108Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:09:53.108Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4f83cc15-274d-44c6-859f-e598e362e76e", + "created": "2023-09-27T14:55:55.381Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.260Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) opened live breakers via remote commands to the HMI, causing blackouts. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--3da977ab-c863-4e6f-a5b7-68173160da00", + "id": "relationship--502a0b7e-048a-468a-b888-e91fde47c6eb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.166Z", + "created": "2021-04-12T18:59:17.429Z", + "modified": "2022-05-06T17:47:24.189Z", "relationship_type": "mitigates", - "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "external_references": [ + { + "source_name": "North America Transmission Forum December 2019", + "description": "North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ", + "url": "https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf" + } + ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29", + "created": "2023-09-29T18:03:06.209Z", "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:03:06.209Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5041e17d-6349-4589-8c61-7b43964b5f9b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-14T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.227Z", + "relationship_type": "mitigates", + "description": "Integrity checking of transient assets can include performing the validation of the booted operating system and programs using TPM-based technologies, such as Secure Boot and Trusted Boot. (Citation: Emerson Exchange) It can also include verifying filesystem changes, such as programs and configuration files stored on the system, executing processes, libraries, accounts, and open ports. (Citation: National Security Agency February 2016)\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "external_references": [ { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + "source_name": "Emerson Exchange", + "description": "Emerson Exchange Increase Security with TPM, Secure Boot, and Trusted Boot Retrieved. 2020/09/25 ", + "url": "https://emersonexchange365.com/products/control-safety-systems/f/plc-pac-systems-industrial-computing-forum/8383/increase-security-with-tpm-secure-boot-and-trusted-boot" + }, + { + "source_name": "National Security Agency February 2016", + "description": "National Security Agency 2016, February Position Zero: Integrity Checking Windows-Based ICS/SCADA Systems Retrieved. 2020/09/25 ", + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:52:05.598Z", - "description": "The name of the [Industroyer](https://attack.mitre.org/software/S0604) payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoors execute a shell command commands. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--d854cc38-adf7-485d-96b5-70606f6cb87e", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-08T22:24:28.935Z", - "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", - "relationship_type": "mitigates", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--64db6a39-64d2-4999-97d7-91c28c32f42e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.101Z", - "relationship_type": "mitigates", - "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, - { - "type": "relationship", - "id": "relationship--edf73653-b2d7-422f-b433-b6a428ff12d4", - "created": "2017-05-31T21:33:27.074Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", - "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ", - "url": "https://securelist.com/bad-rabbit-ransomware/82851/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:31:21.210Z", - "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)", - "relationship_type": "uses", - "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--8b17ad46-b0cc-4766-9cae-eba32260d468", + "id": "relationship--50a2b289-7bce-405d-8515-c2b5424cce5c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.135Z", + "modified": "2022-05-06T17:47:24.090Z", "relationship_type": "mitigates", - "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "description": "Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", @@ -21889,131 +16640,9 @@ "x_mitre_version": "1.0" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.069Z", - "relationship_type": "mitigates", - "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--274994e7-1fe9-463a-9979-46c72107bf9b", - "created": "2023-03-30T18:56:47.685Z", - "revoked": false, - "external_references": [ - { - "source_name": "ESET", - "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T18:56:47.685Z", - "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from infected systems. (Citation: ESET)", - "relationship_type": "uses", - "source_ref": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", - "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55", - "created": "2022-09-27T18:41:43.617Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T18:41:43.617Z", - "description": "Collecting information from the I/O image requires analyzing the application program running on the PLC for specific data block reads. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", - "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.094Z", - "relationship_type": "mitigates", - "description": "System and process restarts should be performed when a timeout condition occurs.\n", - "source_ref": "course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53", - "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a22fabd2-836e-4141-9219-c76cc10138ec", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.100Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3", - "created": "2022-09-26T15:24:07.122Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:24:07.122Z", - "description": "Monitor asset application logs which may provide information about requests for points or tags. Look for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many devices provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67", - "created": "2021-04-13T11:15:26.506Z", + "id": "relationship--50b3247a-ea71-455e-b299-f00666c05146", + "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ @@ -22026,85 +16655,11 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-20T21:19:13.497Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects OB1 so that its malicious code sequence is executed at the start of a cycle. It also infects OB35. OB35 acts as a watchdog, and on certain conditions, it can stop the execution of OB1. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "modified": "2022-09-20T21:12:35.411Z", + "description": "In states 3 and 4 [Stuxnet](https://attack.mitre.org/software/S0603) sends two network bursts (done through the DP_SEND primitive). The data in the frames are instructions for the frequency converter drives. For example one of the frames contains records that change the maximum frequency (the speed at which the motor will operate). The frequency converter drives consist of parameters, which can be remotely configured via Profibus. One can write new values to these parameters changing the behavior of the device. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-12T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.187Z", - "relationship_type": "mitigates", - "description": "All communication sessions to remote services should be authenticated to prevent unauthorized access.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--9ad74496-e164-4068-a0f5-379f507ba864", - "created": "2022-05-11T16:22:58.808Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:47:23.576Z", - "description": "Monitor for logon behavior that may abuse credentials of existing accounts as a means of gaining Lateral Movement or Persistence. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--dda29418-9570-405a-b7db-97e951e5aa53", - "created": "2022-09-26T19:36:13.409Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:35:58.409Z", - "description": "Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T16:53:22.510Z", - "description": "Monitor for file names that are mismatched between the file name on disk and that of the binary's metadata. This is a likely indicator that a binary was renamed after it was compiled. For added context on adversary procedures and background see [Masquerading](https://attack.mitre.org/techniques/T1036) and applicable sub-techniques.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -22136,6 +16691,2351 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "type": "relationship", + "id": "relationship--5131c799-517c-4bad-ba97-46ad7de956e7", + "created": "2023-09-28T21:17:06.233Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:17:06.233Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--51eb15a3-48af-470f-94c0-10f25b366d72", + "created": "2022-09-28T20:30:22.148Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos-Pipedream", + "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.436Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can establish a remote HTTP connection to change the operating mode of Omron PLCs.(Citation: Dragos-Pipedream)(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.072Z", + "relationship_type": "mitigates", + "description": "Restrict unauthorized devices from accessing serial comm ports.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59", + "created": "2022-09-26T17:08:21.214Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:08:21.214Z", + "description": "Monitor device communication patterns to identify irregular bulk transfers of data between the embedded ICS asset and other nodes within the network. Note these indicators are dependent on the profile of normal operations and the capabilities of the industrial automation protocols involved (e.g., partial program uploads).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4", + "created": "2019-06-24T17:20:24.258Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Catalin Cimpanu April 2016", + "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", + "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:39:25.984Z", + "description": "A [Conficker](https://attack.mitre.org/software/S0608) infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production. (Citation: Catalin Cimpanu April 2016)", + "relationship_type": "uses", + "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c", + "created": "2023-09-29T16:40:18.760Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:40:18.760Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--520aad6a-2483-45bc-a172-2417137f6ca0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.143Z", + "relationship_type": "mitigates", + "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-10T14:13:17.429Z", + "modified": "2022-05-06T17:47:24.188Z", + "relationship_type": "mitigates", + "description": "Enforce strong password requirements to prevent password brute force methods for lateral movement.\n", + "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--523777f8-4780-4716-807c-08a67450b916", + "created": "2023-09-29T18:45:13.052Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:45:13.052Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--524ffb0f-40ae-4c97-a098-d14001fffa31", + "created": "2023-09-29T16:44:54.473Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:44:54.473Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--52855d5d-e835-470f-a675-751c2779c861", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.140Z", + "relationship_type": "mitigates", + "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b", + "created": "2023-09-28T21:23:26.598Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:23:26.598Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.133Z", + "relationship_type": "mitigates", + "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--52e828db-58d0-443e-8d94-54d265d9606e", + "created": "2023-09-29T17:42:01.044Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:42:01.044Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.208Z", + "relationship_type": "mitigates", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:01:00.053Z", + "description": "The execution on the PLC can be stopped by violating the cycle time limit. The [PLC-Blaster](https://attack.mitre.org/software/S1006) implements an endless loop triggering an error condition within the PLC with the impact of a DoS. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--53a54e4a-2b38-4b0c-8f60-252a68767443", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:12:58.883Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a", + "created": "2023-03-30T14:08:23.251Z", + "revoked": false, + "external_references": [ + { + "source_name": "CISA June 2013", + "description": "CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T14:08:23.251Z", + "description": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.(Citation: CISA June 2013)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--53d7a78d-1431-49e8-944c-62c875e58a20", + "created": "2023-09-29T17:08:37.793Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:08:37.793Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5424e327-396f-4b07-94a3-408ffc915686", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos", + "description": "Dragos Allanite Retrieved. 2019/10/27 ", + "url": "https://dragos.com/resource/allanite/" + }, + { + "source_name": "ICS-CERT October 2017", + "description": "ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23 ", + "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:40:18.975Z", + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) has been identified to collect and distribute screenshots of ICS systems such as HMIs. (Citation: Dragos) (Citation: ICS-CERT October 2017)", + "relationship_type": "uses", + "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd", + "created": "2023-09-29T17:44:32.341Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:44:32.341Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--544e996c-0bdc-42b2-91af-14c27d4213b9", + "created": "2023-09-28T21:09:23.185Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:09:23.185Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56", + "created": "2023-09-28T20:10:44.014Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:10:44.014Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b", + "created": "2023-03-30T19:24:38.022Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Industroyer2 Mandiant April 2022", + "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", + "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T16:17:58.795Z", + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) has the capability to terminate specified processes (i.e., PServiceControl.exe and PService_PDD.exe) and rename each process to prevent restart. These are defined through a hardcoded configuration.(Citation: Industroyer2 Mandiant April 2022)", + "relationship_type": "uses", + "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:07:49.346Z", + "description": "Monitor for device alarms produced when program uploads occur, although not all devices will produce such alarms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:18:27.480Z", + "description": "Monitor for unexpected protocols to/from the Internet. While network traffic content and logon session metadata may directly identify a login event, new Internet-based network flows may also be a reliable indicator of this technique.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--55f3dd59-08be-4e23-a680-b6db7850b399", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:59:50.879Z", + "description": "Monitor for newly executed processes of binaries that could be involved in data destruction activity, such as SDelete.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.075Z", + "relationship_type": "mitigates", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5677e801-bd49-404b-b54a-6b00da52530c", + "created": "2023-09-29T16:39:01.824Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:39:01.824Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--567acebd-4ba2-4723-a74d-514992321ccc", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:03:27.702Z", + "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18", + "created": "2023-09-29T18:05:18.147Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:05:18.147Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:24:51.471Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics. (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0", + "created": "2022-09-29T14:28:08.703Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T14:28:08.703Z", + "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown hardcoded accounts which could be used to gain unauthorized access.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--57510758-786a-4f0a-aab2-101eaf4e7b9f", + "created": "2023-09-27T14:48:05.715Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.261Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked command messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.199Z", + "relationship_type": "mitigates", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:33:10.450Z", + "description": "Monitor for unexpected changes to project files, although if the malicious modification occurs in tandem with legitimate changes it will be difficult to isolate the unintended changes by analyzing only file systems modifications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--577b53a0-44ff-4cc4-b571-455d61e596c0", + "created": "2023-09-28T20:27:17.431Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:27:17.431Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:22:50.001Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141", + "created": "2023-03-31T18:12:35.414Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + }, + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-07T17:07:29.299Z", + "description": "Within the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Industroyer](https://attack.mitre.org/software/S0604) was used to target and disrupt the Ukrainian power grid substation components.(Citation: Dragos Crashoverride 2018)(Citation: ESET Industroyer)", + "relationship_type": "uses", + "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "target_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5804ae3d-0daf-47a5-b026-d42878f55803", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.166Z", + "relationship_type": "mitigates", + "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.086Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2", + "created": "2022-09-26T15:37:30.958Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:37:30.958Z", + "description": "Monitor for loss of network traffic which could indicate alarms are being suppressed. A loss of expected communications associated with network protocols used to communicate alarm events or process data could indicate this technique is being used. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.168Z", + "relationship_type": "mitigates", + "description": "Use multi-factor authentication wherever possible.\n", + "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba", + "created": "2023-09-28T19:38:03.976Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:38:03.976Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.145Z", + "relationship_type": "mitigates", + "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1", + "created": "2023-09-28T20:27:33.713Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:27:33.713Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:17:25.451Z", + "description": "Monitor for newly executed processes related to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may use [Valid Accounts](https://attack.mitre.org/techniques/T0859) to login and may perform follow-on actions that spawn additional processes as the user.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.201Z", + "relationship_type": "mitigates", + "description": "Consider removal or disabling of programs and features which may be used to run malicious scripts (e.g., scripting language IDEs, PowerShell, visual studio).\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5914a482-dbb7-429d-96f3-77f0588ac12d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.123Z", + "relationship_type": "mitigates", + "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", + "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--591620d3-5549-49db-9080-43f86a68a590", + "created": "2021-04-13T12:08:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:25:07.936Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) leverages a previously-unknown vulnerability affecting Tricon MP3008 firmware versions 10.010.4 allows an insecurely-written system call to be exploited to achieve an arbitrary 2-byte write primitive, which is then used to gain supervisor privileges. (Citation: DHS CISA February 2019)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b", + "created": "2023-09-28T21:28:21.910Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:28:21.910Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8", + "created": "2023-09-29T17:09:25.690Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:09:25.690Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--59c65014-1fee-4c2e-9ece-9883159bbed2", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T19:16:20.286Z", + "description": "Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting. For added context on adversary procedures and background see [Service Stop](https://attack.mitre.org/techniques/T1489).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc", + "created": "2023-03-10T20:30:43.206Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:30:43.206Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:40:41.495Z", + "description": "Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba", + "created": "2023-09-28T20:07:36.295Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:07:36.295Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.180Z", + "relationship_type": "mitigates", + "description": "All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5b14c813-09e2-4709-ab42-94830cf9538c", + "created": "2023-09-29T18:42:39.876Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:42:39.876Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + }, + { + "source_name": "Kyle Wilhoit", + "description": "Kyle Wilhoit Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ICS Malware: Havex and Black Energy Retrieved. 2019/10/22 ", + "url": "https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:19:26.117Z", + "description": "Execution of [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) relies on a user opening a trojanized installer attached to an email. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) (Citation: Kyle Wilhoit)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.209Z", + "relationship_type": "mitigates", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:39:05.432Z", + "description": "Provide the ability to verify the integrity and authenticity of changes to parameter values.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:01:18.283Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5c61c8a2-bfff-43fb-8397-bff864413d74", + "created": "2023-09-29T17:06:09.673Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:06:09.673Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5c695f49-6c76-4818-88b6-4db2bf029e43", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T17:38:22.073Z", + "description": "Monitor for file creation in conjunction with other techniques (e.g., file transfers using [Remote Services](https://attack.mitre.org/techniques/T0886)).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.182Z", + "relationship_type": "mitigates", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.094Z", + "relationship_type": "mitigates", + "description": "System and process restarts should be performed when a timeout condition occurs.\n", + "source_ref": "course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5d33de22-35b0-47fa-bc63-f984522340b7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.068Z", + "relationship_type": "mitigates", + "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:48:51.528Z", + "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.201Z", + "relationship_type": "mitigates", + "description": "Audit the integrity of PLC system and application code functionality, such as the manipulation of standard function blocks (e.g., Organizational Blocks) that manage the execution of application logic programs. (Citation: IEC February 2019)\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.235Z", + "relationship_type": "mitigates", + "description": "Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Tom Fakterman August 2019", + "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:05:04.619Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) searches for whether the Ahnlab autoup.exe service is running on the target system and injects its payload into this existing process. (Citation: Tom Fakterman August 2019)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5e324da5-0fee-4dac-b289-410d560e03e9", + "created": "2023-09-28T19:46:49.255Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:46:49.255Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb", + "created": "2023-09-28T20:16:28.582Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:16:28.582Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5f03ee5d-534c-454c-aae3-b41130b00286", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T12:08:26.506Z", + "modified": "2022-05-06T17:47:24.117Z", + "relationship_type": "mitigates", + "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", + "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "external_references": [ + { + "source_name": "Dan Goodin March 2017", + "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", + "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0", + "created": "2023-09-25T20:49:49.605Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:49:49.605Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5ff26c96-c610-4669-b44e-d6318205be5a", + "created": "2023-09-29T16:43:28.841Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:43:28.841Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--600f0115-94e3-49bf-afa6-0180b3367b94", + "created": "2023-09-28T20:06:15.180Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:06:15.180Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--604a9bf0-81a3-425b-9005-779c4f0f749d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.195Z", + "relationship_type": "mitigates", + "description": "Harden the system through operating system controls to prevent the known or unknown use of malicious removable media.\n", + "source_ref": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024", + "created": "2023-09-29T18:07:18.253Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:07:18.253Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--605f3853-b007-4134-8a2d-6a81a35e7676", + "created": "2023-09-29T18:48:05.559Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:48:05.559Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6157408d-1eb3-4445-8d8a-14619458954f", + "created": "2022-09-27T15:26:40.297Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:26:40.297Z", + "description": "Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) may be helpful in identifying transient assets.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.199Z", + "relationship_type": "mitigates", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6258c355-677c-452d-b1fc-27767232437b", + "created": "2019-03-26T16:19:52.358Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:58:23.141Z", + "description": "[NotPetya](https://attack.mitre.org/software/S0368) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--62abe387-10a2-414b-881c-060b70db2157", + "created": "2023-09-28T20:08:39.992Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:08:39.992Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--62e818b8-38e6-42ff-9424-9a327332eb2a", + "created": "2022-09-29T20:02:37.671Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-17T15:22:56.606Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 component sends the domain-specific MMSgetNameList request to determine what logical nodes the device supports. It then searches the logical nodes for the CSW value, which indicates the device performs a circuit breaker or switch control function.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604)'s OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: ctlSelOn, ctlOperOn, ctlSelOff, ctlOperOff, Pos and stVal.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604) IEC 60870-5-104 module includes a range mode to discover Information Object Addresses (IOAs) by enumerating through each.(Citation: ESET Industroyer)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--63323b12-86db-4b91-a701-90daf3f98f7c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.122Z", + "relationship_type": "mitigates", + "description": "Segment networks and systems appropriately to reduce access to critical system and services communications.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--63453d2f-30f6-40ab-b32c-506d940ecd20", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:25:01.756Z", + "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:53:22.510Z", + "description": "Monitor for file names that are mismatched between the file name on disk and that of the binary's metadata. This is a likely indicator that a binary was renamed after it was compiled. For added context on adversary procedures and background see [Masquerading](https://attack.mitre.org/techniques/T1036) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b", + "created": "2023-09-29T17:44:55.599Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:44:55.599Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + }, + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:25:29.480Z", + "description": "[Triton](https://attack.mitre.org/software/S1009)'s argument-setting and inject.bin shellcode are added to the program table on the Tricon so that they are executed by the firmware once each cycle. (Citation: DHS CISA February 2019) (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3", + "created": "2023-09-29T16:43:05.495Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:43:05.495Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--642cae89-bb5c-46f3-9fea-8d747b930c35", + "created": "2023-03-10T20:11:10.018Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T22:03:14.174Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community's affected rivers.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--648c6649-5861-4b43-a7e5-a9665bafb576", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:17:15.157Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) uses the first COM port from the configuration file for the communication and the other two COM ports are opened to prevent other processes accessing them. This may block processes or operators from getting reporting messages from a device. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--64db6a39-64d2-4999-97d7-91c28c32f42e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.101Z", + "relationship_type": "mitigates", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.198Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--652c1e77-cfea-4452-9762-5ba16f874119", + "created": "2023-09-29T17:58:42.002Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:58:42.002Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:49:07.316Z", + "description": "Monitor device alarms that indicate the devices has been placed into Firmware Update Mode, although not all devices produce such alarms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6573327e-3757-424e-8570-04ffe7d5d0e2", + "created": "2023-09-27T14:53:25.385Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-27T15:22:13.576Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used port 443 to communicate with their C2 servers. (Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--65a45501-10de-46a2-89bf-03bbf17aba33", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.166Z", + "relationship_type": "mitigates", + "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--65aa5a0d-926c-4b04-9509-f66a99639877", + "created": "2023-09-29T17:41:34.892Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:41:34.892Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--65adbdda-7069-40ed-9825-b79ec87e4916", + "type": "relationship", + "created": "2021-09-21T15:47:37.522Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "IBM Ransomware Trends September 2020", + "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/", + "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021." + }, + { + "source_name": "CrowdStrike Carbon Spider August 2021", + "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021." + }, + { + "source_name": "FBI Flash FIN7 USB", + "url": "https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/", + "description": "The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022." + } + ], + "modified": "2022-01-14T17:29:16.633Z", + "description": "(Citation: IBM Ransomware Trends September 2020)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: FBI Flash FIN7 USB)", + "relationship_type": "uses", + "source_ref": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "target_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5", + "created": "2023-09-28T21:25:34.304Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:25:34.304Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2", + "created": "2023-10-02T20:18:54.267Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:18:54.267Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6603a100-d655-4e6b-8d38-73c11b89dde4", + "created": "2019-03-26T16:19:52.358Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:58:42.847Z", + "description": "[NotPetya](https://attack.mitre.org/software/S0368) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6637d8e6-6578-4d15-a993-d63ced4c4464", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.099Z", + "relationship_type": "mitigates", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--665587ee-1524-4334-9580-2b448c417542", + "created": "2023-03-30T19:26:07.209Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Industroyer2 Mandiant April 2022", + "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", + "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks" + }, + { + "source_name": "Industroyer2 Forescout July 2022", + "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", + "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-06T22:09:44.559Z", + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) modifies specified Information Object Addresses (IOAs) for specified Application Service Data Unit (ASDU) addresses to either the ON or OFF state.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)", + "relationship_type": "uses", + "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--66738beb-0a33-4d70-baec-8307b5b34f80", + "created": "2023-09-28T20:16:05.975Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:16:05.975Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6681bc38-0b55-4714-b690-c609956b40bf", + "created": "2022-09-28T20:27:33.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.438Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can brute force password-based authentication to Schneider PLCs over the CODESYS protocol (UDP port 1740).(Citation: CISA-AA22-103A)\n\n [INCONTROLLER](https://attack.mitre.org/software/S1045) can perform brute force guessing of passwords to OPC UA servers using a predefined list of passwords.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d", + "created": "2023-03-10T20:32:02.472Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:32:02.472Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed for changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "type": "relationship", "id": "relationship--66af47d7-c430-4ac9-8020-fd79b7059037", @@ -22173,2156 +19073,37 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--f951d934-d555-45e9-a564-27b84518cae4", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.070Z", - "relationship_type": "mitigates", - "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", - "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--b13417ea-d8da-497f-818f-d2d90562039a", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702", + "created": "2023-09-29T17:43:31.956Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2023-03-21T16:44:13.707Z", - "description": "Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.170Z", - "relationship_type": "mitigates", - "description": "Restrict root or administrator access on user accounts to limit the ability to capture promiscuous traffic on a network through common packet capture tools. (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--01b4a92f-da42-4dfa-8d59-53709b65940e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.203Z", - "relationship_type": "mitigates", - "description": "Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations.\n", - "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:52:31.059Z", - "description": "Device restarts and shutdowns may be observable in device application logs. Monitor for unexpected device restarts or shutdowns.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.073Z", - "relationship_type": "mitigates", - "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T18:41:05.273Z", - "description": "Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908", - "created": "2023-03-30T19:25:53.572Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Industroyer2 Mandiant April 2022", - "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", - "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks" - }, - { - "source_name": "Industroyer2 Forescout July 2022", - "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", - "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-04-06T22:10:36.267Z", - "description": "[Industroyer2](https://attack.mitre.org/software/S1072) is capable of sending command messages from the compromised device to target remote stations to open data channels, retrieve the location and values of Information Object Addresses (IOAs), and modify the IO state values through Select Before Operate I/O, Select/Execute, and Invert Default State operations.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)", - "relationship_type": "uses", - "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "modified": "2023-09-29T17:43:31.956Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", "x_mitre_deprecated": false, "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--74ec9ce5-3155-488c-ae56-570c47a1d207", + "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T12:45:26.506Z", - "modified": "2022-05-06T17:47:24.194Z", - "relationship_type": "mitigates", - "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n", - "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", - "external_references": [ - { - "source_name": "D. Parsons and D. Wylie September 2019", - "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", - "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" - }, - { - "source_name": "Colin Gray", - "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", - "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" - }, - { - "source_name": "Josh Rinaldi April 2016", - "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", - "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" - }, - { - "source_name": "Aditya K Sood July 2019", - "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", - "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" - }, - { - "source_name": "Langner November 2018", - "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", - "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b628d878-4f35-4580-8d42-26984d13821e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.143Z", - "relationship_type": "mitigates", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--68d30c45-766f-48b6-9405-0c969243332b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.214Z", - "relationship_type": "mitigates", - "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:10:53.087Z", - "description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce", - "created": "2022-09-27T15:25:50.596Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:49:19.854Z", - "description": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--0d540b53-6a5d-4f56-9dee-47707443b149", + "id": "relationship--66d637a0-4874-4b12-bd3a-b408acb06d26", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-30T16:00:14.208Z", - "description": "Monitor ICS automation network protocols for functions related to reading an operational process state (e.g., “Read” function codes in protocols like DNP3 or Modbus). In some cases, there may be multiple ways to monitor an operational process’ state, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ca768c2a-0f14-471c-90a5-bce649e88d51", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.105Z", - "relationship_type": "mitigates", - "description": "Application denylists can be used to block automation protocol functions used to initiate device shutdowns or restarts, such as DNP3's 0x0D function code, or vulnerabilities that can be used to trigger device shutdowns (e.g., CVE-2014-9195, CVE-2015-5374).\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-21T16:43:32.737Z", - "description": "Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of AiTM activity.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.106Z", - "relationship_type": "mitigates", - "description": "Restrict browsers to limit the capabilities of malicious ads and Javascript.\n", - "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--064dfd6f-db5d-48e8-b350-9dd47a270911", - "created": "2022-09-28T20:22:09.916Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "CISA-AA22-103A", - "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T15:16:59.156Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely read the OCP UA structure from devices.(Citation: CISA-AA22-103A) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:43:36.467Z", - "description": "Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.077Z", - "relationship_type": "mitigates", - "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--55f3dd59-08be-4e23-a680-b6db7850b399", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:59:50.879Z", - "description": "Monitor for newly executed processes of binaries that could be involved in data destruction activity, such as SDelete.", + "modified": "2022-10-14T16:53:54.118Z", + "description": "Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--6d822f86-5793-403a-b176-5d533f6b81b3", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", - "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", - "url": "https://www.f-secure.com/weblog/archives/00002718.html" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:19:43.236Z", - "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) RAT is distributed through trojanized installers planted on compromised vendor sites. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", - "relationship_type": "uses", - "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--d7ea83fa-87c7-4d36-96d5-aee554504040", - "created": "2017-05-31T21:33:27.074Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Marc-Etienne M.Lveill October 2017", - "description": "Marc-Etienne M.Lveill 2017, October 24 Bad Rabbit: NotPetya is back with improved ransomware Retrieved. 2019/10/27 ", - "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:31:02.075Z", - "description": "Several transportation organizations in Ukraine have suffered from being infected by [Bad Rabbit](https://attack.mitre.org/software/S0606), resulting in some computers becoming encrypted, according to media reports. (Citation: Marc-Etienne M.Lveill October 2017)", - "relationship_type": "uses", - "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", - "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--7c329018-b591-42c4-8806-4d02ccd47476", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:55:36.262Z", - "description": "Monitor executed commands and arguments for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:32:18.214Z", - "description": "Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Asset management systems should be consulted to understand known-good firmware versions and configurations.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", - "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "ICS-CERT August 2018", - "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", - "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:23:33.379Z", - "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications. (Citation: ICS-CERT August 2018)", - "relationship_type": "uses", - "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.071Z", - "relationship_type": "mitigates", - "description": "Provide an alternative method for sending critical report messages to operators, this could include using radio/cell communication to obtain messages from field technicians that can locally obtain telemetry and status data.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T19:36:51.486Z", - "description": "Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware. For added context on adversary procedures and background see [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) and applicable sub-techniques.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393", - "created": "2022-09-26T14:43:24.136Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Elastic - Koadiac Detection with EQL", - "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.", - "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:49:34.799Z", - "description": "Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.219Z", - "relationship_type": "mitigates", - "description": "Encrypt any operational data with strong confidentiality requirements, including organizational trade-secrets, recipes, and other intellectual property (IP).\n", - "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", - "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--6902da63-3b59-46f3-99e0-6008dd47ab70", - "created": "2022-09-27T15:33:16.221Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:38:13.560Z", - "description": "Monitor executed commands and arguments related to services specifically designed to accept remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) and [Valid Accounts](https://attack.mitre.org/techniques/T0859) may be used to access a host’s GUI.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", - "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", - "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:01:38.884Z", - "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", - "relationship_type": "uses", - "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", - "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Department of Homeland Security October 2009", - "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-19T21:23:30.482Z", - "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", - "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--868db512-b897-4a54-ae56-ac78f6c93a14", - "created": "2022-09-28T20:29:18.027Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "CISA-AA22-103A", - "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" - }, - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.443Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use a Telnet session to load a malware implant on Omron PLCs.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c", - "created": "2022-05-06T17:47:21.168Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Carl Hurd March 2019", - "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", - "url": "https://www.youtube.com/watch?v=yuZazP22rpI" - }, - { - "source_name": "William Largent June 2018", - "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", - "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:31:07.308Z", - "description": "The [VPNFilter](https://attack.mitre.org/software/S1010)'s ssler module configures the device's iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. Any outgoing web requests on port 80 are now intercepted by ssler and can be inspected by the ps module and manipulated before being sent to the legitimate HTTP service. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", - "relationship_type": "uses", - "source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:40:47.334Z", - "description": "Collect file hashes. Monitor for file names that do not match their expected hash. Perform file monitoring. Files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE\". For added context on adversary procedures and background see [Masquerading](https://attack.mitre.org/techniques/T1036) and applicable sub-techniques.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Microsoft Security Response Center August 2017", - "description": "Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ", - "url": "https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/" - }, - { - "source_name": "Wikipedia", - "description": "Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ", - "url": "https://en.wikipedia.org/wiki/Control-flow_integrity" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-21T13:19:12.382Z", - "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", - "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--147c2158-b2af-4d88-9d59-594c67a9200e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.204Z", - "relationship_type": "mitigates", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--758d5818-f919-4a6b-9dc2-a212595a11bd", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-21T13:49:30.320Z", - "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--9d75333b-2542-4899-923f-55dc1e077a51", - "created": "2022-09-27T16:03:41.224Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:45:52.592Z", - "description": "Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning PowerShell).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d", - "created": "2023-03-10T20:32:02.472Z", - "revoked": false, - "external_references": [ - { - "source_name": "Marshall Abrams July 2008", - "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", - "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-10T20:32:02.472Z", - "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed for changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.(Citation: Marshall Abrams July 2008)", - "relationship_type": "uses", - "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa", - "type": "relationship", - "created": "2017-05-31T21:33:27.070Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html", - "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", - "source_name": "iSIGHT Sandworm 2014" - }, - { - "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf", - "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", - "source_name": "F-Secure BlackEnergy 2014" - }, - { - "source_name": "US District Court Indictment GRU Unit 74455 October 2020", - "url": "https://www.justice.gov/opa/press-release/file/1328521/download", - "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." - }, - { - "source_name": "UK NCSC Olympic Attacks October 2020", - "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", - "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020." - }, - { - "source_name": "Secureworks IRON VIKING ", - "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", - "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." - } - ], - "modified": "2022-02-28T17:02:50.401Z", - "description": "(Citation: iSIGHT Sandworm 2014)(Citation: F-Secure BlackEnergy 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Secureworks IRON VIKING )", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.197Z", - "relationship_type": "mitigates", - "description": "Devices should authenticate all messages between master and outstation assets.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--f347b4fe-d829-427d-851a-fff3393441db", - "created": "2021-04-12T07:57:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Joe Slowik August 2019", - "description": "Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 ", - "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-04-14T20:00:00.650Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays. (Citation: Joe Slowik August 2019)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:45:17.457Z", - "description": "Monitor for network traffic originating from unknown/unexpected systems.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.209Z", - "relationship_type": "mitigates", - "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.\n", - "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.070Z", - "relationship_type": "mitigates", - "description": "Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128", - "created": "2021-04-12T18:49:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Tom Fakterman August 2019", - "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", - "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:05:04.619Z", - "description": "[REvil](https://attack.mitre.org/software/S0496) searches for whether the Ahnlab autoup.exe service is running on the target system and injects its payload into this existing process. (Citation: Tom Fakterman August 2019)", - "relationship_type": "uses", - "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f6ff74c2-d088-4252-a8e0-189574863765", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-21T16:44:46.032Z", - "description": "Communication authenticity will ensure that any messages tampered with through AiTM can be detected, but cannot prevent eavesdropping on these. In addition, providing communication authenticity around various discovery protocols, such as DNS, can be used to prevent various AiTM procedures.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Eduard Kovacs March 2018", - "description": "Eduard Kovacs 2018, March 1 Five Threat Groups Target Industrial Systems: Dragos Retrieved. 2020/01/03 ", - "url": "https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos" - }, - { - "source_name": "Novetta Threat Research Group February 2016", - "description": "Novetta Threat Research Group 2016, February 24 Operation Blockbuster: Unraveling the Long Thread of the Sony Attack Retrieved. 2016/02/25 ", - "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:15:30.732Z", - "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has been observed targeting organizations using spearphishing documents with embedded malicious payloads. (Citation: Novetta Threat Research Group February 2016) Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company. (Citation: Eduard Kovacs March 2018)", - "relationship_type": "uses", - "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--c9065f74-556d-4728-8072-f96642e70316", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-12T18:59:24.739Z", - "modified": "2022-05-06T17:47:24.187Z", - "relationship_type": "mitigates", - "description": "Access Management technologies can help enforce authentication on critical remote service, examples include, but are not limited to, device management services (e.g., telnet, SSH), data access servers (e.g., HTTP, Historians), and HMI sessions (e.g., RDP, VNC).\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7", - "created": "2021-04-13T12:08:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Jos Wetzels January 2018", - "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", - "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:28:11.304Z", - "description": "[Triton](https://attack.mitre.org/software/S1009)'s injector, inject.bin, changes the function pointer of the 'get main processor diagnostic data' TriStation command to the address of imain.bin so that it is executed prior to the normal handler. (Citation: Jos Wetzels January 2018)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.222Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--154de746-5ea2-43b4-97b2-221b2433cbde", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:48:49.308Z", - "description": "Monitor ICS automation network protocols for information that an asset has been placed into Firmware Update Mode.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.237Z", - "relationship_type": "mitigates", - "description": "Do not inherently rely on the authenticity provided by the network/link layer (e.g., 802.11, LTE, 802.15.4), as link layer equipment may have long lifespans and protocol vulnerabilities may not be easily patched. Provide defense-in-depth by implementing authenticity within the associated application-layer protocol, or through a network-layer VPN. (Citation: CISA March 2010) Furthermore, ensure communication schemes provide strong replay protection, employing techniques such as timestamps or cryptographic nonces.\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", - "external_references": [ - { - "source_name": "CISA March 2010", - "description": "CISA 2010, March 11 https://us-cert.cisa.gov/ncas/tips/ST05-003 Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/ncas/tips/ST05-003" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.098Z", - "relationship_type": "mitigates", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--792324b4-064a-430c-8ffc-7f7acd537778", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Symantec", - "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", - "url": "https://docs.broadcom.com/doc/w32-duqu-11-en" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:44:27.955Z", - "description": "[Duqu](https://attack.mitre.org/software/S0038)'s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party.(Citation: Symantec)", - "relationship_type": "uses", - "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", - "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc", - "created": "2023-03-10T20:30:43.206Z", - "revoked": false, - "external_references": [ - { - "source_name": "Marshall Abrams July 2008", - "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", - "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-10T20:30:43.206Z", - "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.(Citation: Marshall Abrams July 2008)", - "relationship_type": "uses", - "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", - "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--d90b1271-a90d-41c7-9df7-bec47880c82e", - "created": "2022-09-27T15:33:46.485Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T15:33:46.485Z", - "description": "Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. [Remote Services](https://attack.mitre.org/techniques/T0886) may be used to access a host’s GUI.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", - "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--e607bb66-e53f-4684-b3f1-36a997e27d01", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.087Z", - "relationship_type": "mitigates", - "description": "Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n", - "source_ref": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", - "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", - "external_references": [ - { - "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", - "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", - "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac", - "created": "2021-04-13T12:28:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos Threat Intelligence February 2020", - "description": "Dragos Threat Intelligence 2020, February 03 EKANS Ransomware and ICS Operations Retrieved. 2021/04/12 ", - "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:48:00.088Z", - "description": "[EKANS](https://attack.mitre.org/software/S0605) masquerades itself as a valid executable with the filename update.exe. Many valid programs use the process name update.exe to perform background software updates. (Citation: Dragos Threat Intelligence February 2020)", - "relationship_type": "uses", - "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--22448288-32d9-4d2c-be16-0784e119fff1", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-08T22:26:11.066Z", - "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "relationship_type": "mitigates", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-12T17:00:17.249Z", - "modified": "2022-05-06T17:47:24.212Z", - "relationship_type": "mitigates", - "description": "A supply chain management program should include methods the assess the trustworthiness and technical maturity of a supplier, along with technical methods (e.g., code-signing, bill of materials) needed to validate the integrity of newly obtained devices and components. Develop procurement language that emphasizes the expectations for suppliers regarding the artifacts, audit records, and technical capabilities needed to validate the integrity of the devices supply chain. (Citation: Robert A. Martin January 2021)\n", - "source_ref": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "external_references": [ - { - "source_name": "Robert A. Martin January 2021", - "description": "Robert A. Martin 2021, January TRUSTING OUR SUPPLY CHAINS: A COMPREHENSIVE DATA-DRIVEN APPROACH Retrieved. 2021/04/12 ", - "url": "https://www.mitre.org/sites/default/files/publications/pr-20-01465-37-trusting-our-supply-chains-a-comprehensive-data-driven-approach.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14", - "created": "2023-03-31T17:44:45.164Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos Crashoverride 2018", - "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", - "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-04-07T17:54:45.912Z", - "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) transferred executable files as .txt and then renamed them to .exe, likely to avoid detection through extension tracking.(Citation: Dragos Crashoverride 2018)", - "relationship_type": "uses", - "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4", - "created": "2022-09-26T20:46:23.812Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:30:58.676Z", - "description": "Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", - "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", - "url": "https://www.f-secure.com/weblog/archives/00002718.html" - }, - { - "source_name": "Kyle Wilhoit", - "description": "Kyle Wilhoit Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ICS Malware: Havex and Black Energy Retrieved. 2019/10/22 ", - "url": "https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:19:26.117Z", - "description": "Execution of [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) relies on a user opening a trojanized installer attached to an email. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) (Citation: Kyle Wilhoit)", - "relationship_type": "uses", - "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ee89466e-0655-4217-844d-fb8ea4f76247", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.065Z", - "relationship_type": "mitigates", - "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ca5c7ae7-5273-4888-bc50-183d6e200972", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.105Z", - "relationship_type": "mitigates", - "description": "Built-in browser sandboxes and application isolation may be used to contain web-based malware.\n", - "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--1e6da55a-ab6c-4583-9e20-583f82096497", - "created": "2022-09-26T14:40:01.334Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:49:58.047Z", - "description": "Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:32:41.938Z", - "description": "Monitor for newly constructed files copied to or from removable media.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", - "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--383e242a-72d4-4b40-8905-888595c34919", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Kelly Jackson Higgins", - "description": "Kelly Jackson Higgins How a Manufacturing Firm Recovered from a Devastating Ransomware Attack Retrieved. 2019/11/03 ", - "url": "https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:20:20.608Z", - "description": "An enterprise resource planning (ERP) manufacturing server was lost to the [Ryuk](https://attack.mitre.org/software/S0446) attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open. (Citation: Kelly Jackson Higgins)", - "relationship_type": "uses", - "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", - "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b", - "created": "2017-05-31T21:33:27.074Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Joe Slowik April 2019", - "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", - "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:31:37.216Z", - "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", - "relationship_type": "uses", - "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a91002fe-21b2-4417-9c23-af712a7a035c", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T11:15:26.506Z", - "modified": "2022-05-06T17:47:24.156Z", - "relationship_type": "mitigates", - "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--d08fdedd-12f6-4681-9167-70d070432dee", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.208Z", - "relationship_type": "mitigates", - "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.130Z", - "relationship_type": "mitigates", - "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to remove indicators of their activity on the system. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--0278ddbc-67d5-444d-8082-bf9974dee920", - "created": "2022-05-11T16:22:58.808Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:47:45.775Z", - "description": "Monitor for an authentication attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Eduard Kovacs May 2018", - "description": "Eduard Kovacs 2018, May 21 Group linked to Shamoon attacks targeting ICS networks in Middle East and UK Retrieved. 2020/01/03 ", - "url": "https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:33:11.305Z", - "description": "[OilRig](https://attack.mitre.org/groups/G0049) has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. (Citation: Eduard Kovacs May 2018)", - "relationship_type": "uses", - "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.112Z", - "relationship_type": "mitigates", - "description": "Use least privilege for service accounts. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--40f63b01-dc59-475d-826a-74f38c6e81b9", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T19:38:28.550Z", - "description": "Host-based implementations of this technique may utilize networking-based system calls or network utility commands (e.g., iptables) to locally intercept traffic. Monitor for relevant process creation events.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:09:35.145Z", - "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if reporting messages are blocked. ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.203Z", - "relationship_type": "mitigates", - "description": "Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.\n", - "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov", - "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", - "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:55:23.573Z", - "description": "[KillDisk](https://attack.mitre.org/software/S0607) looks for and terminates two non-standard processes, one of which is an ICS application. (Citation: Anton Cherepanov)", - "relationship_type": "uses", - "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.168Z", - "relationship_type": "mitigates", - "description": "Segment networks and systems appropriately to reduce access to critical system and services communications.\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:40:06.988Z", - "description": "Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.173Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--04bf72de-75ba-4d95-ad24-f93ad835180c", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Booz Allen Hamilton", - "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", - "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:54:26.520Z", - "description": "[KillDisk](https://attack.mitre.org/software/S0607) erases the master boot record (MBR) and system logs, leaving the system unusable. (Citation: Booz Allen Hamilton)", - "relationship_type": "uses", - "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", - "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c", - "created": "2022-09-29T01:37:13.671Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - }, - { - "source_name": "Brubaker-Incontroller", - "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", - "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.441Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to download programs to Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.(Citation: Wylie-22) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--9cf83701-a347-47b4-a67b-280df95b275d", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:41:05.460Z", - "description": "Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d", - "created": "2022-09-26T16:16:21.749Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:16:21.749Z", - "description": "Monitor applications logs for any access attempts to operational databases (e.g., historians) or other sources of operational data within the ICS environment. These devices should be monitored for adversary collection using techniques relevant to the underlying technologies (e.g., Windows, Linux).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.172Z", - "relationship_type": "mitigates", - "description": "Devices should authenticate all messages between master and outstation assets.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.187Z", - "relationship_type": "mitigates", - "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device.\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.081Z", - "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--71422483-33e4-4131-a4ec-40322d91d8a0", - "created": "2019-06-24T17:20:24.258Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Catalin Cimpanu April 2016", - "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", - "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" - }, - { - "source_name": "Symantec June 2015", - "description": "Symantec 2015, June 30 Simple steps to protect yourself from the Conficker Worm Retrieved. 2019/12/05 ", - "url": "https://support.symantec.com/us/en/article.tech93179.html" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-17T15:38:28.233Z", - "description": "[Conficker](https://attack.mitre.org/software/S0608) exploits Windows drive shares. Once it has infected a computer, [Conficker](https://attack.mitre.org/software/S0608) automatically copies itself to all visible open drive shares on other computers inside the network. (Citation: Symantec June 2015) Nuclear power plant officials suspect someone brought in [Conficker](https://attack.mitre.org/software/S0608) by accident on a USB thumb drive, either from home or computers found in the power plant's facility. (Citation: Catalin Cimpanu April 2016)", - "relationship_type": "uses", - "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", - "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--6637d8e6-6578-4d15-a993-d63ced4c4464", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.099Z", - "relationship_type": "mitigates", - "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.104Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8", - "created": "2023-03-30T19:00:57.773Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T19:00:57.773Z", - "description": "Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.", - "relationship_type": "mitigates", - "source_ref": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5", - "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:29:38.448Z", - "description": "Monitor network traffic for default credential use in protocols that allow unencrypted authentication.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:54:12.966Z", - "description": "Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. For added context on adversary procedures and background see [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) and [System Network Connections Discovery](https://attack.mitre.org/techniques/T1049).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "x_mitre_deprecated": false, "x_mitre_version": "1.0", @@ -24330,147 +19111,44 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.216Z", - "relationship_type": "mitigates", - "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", - "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91", - "created": "2022-09-26T16:35:07.728Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:35:07.728Z", - "description": "Monitor for new master devices communicating with outstations, which may be visible in alarms within the ICS environment.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--15188683-7ded-4578-9102-73459ecbe095", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:37:54.914Z", - "description": "Monitor for newly executed processes related to services specifically designed to accept remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) and [Valid Accounts](https://attack.mitre.org/techniques/T0859) may be used to access a host’s GUI.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--2c6f9c9e-efa9-4a87-aadf-64b2aeeaa09a", - "created": "2021-04-11T14:06:54.109Z", + "id": "relationship--66f79019-d52c-46a6-b605-c2335d1d3d20", + "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T16:54:43.581Z", - "description": "In the 2015 attack on the Ukrainian power grid, the [Sandworm Team](https://attack.mitre.org/groups/G0034) scheduled disconnects of uninterruptable power supply (UPS) systems so that when power was disconnected from the substations, the devices would shut down and service could not be recovered. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "modified": "2022-09-23T18:25:59.238Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) has the capability to stop a service itself, or to login as a user and stop a service as that user. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "type": "relationship", - "id": "relationship--94654460-b115-4056-beb1-e982ed33437b", - "created": "2023-03-30T18:59:46.674Z", - "revoked": false, - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T18:59:46.674Z", - "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from the local system. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)", - "relationship_type": "mitigates", - "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", - "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d", + "id": "relationship--671043a9-337f-411a-9ca9-3112e897ab09", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.097Z", - "relationship_type": "mitigates", - "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.203Z", + "modified": "2022-05-06T17:47:24.184Z", "relationship_type": "mitigates", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "external_references": [ { "source_name": "Department of Homeland Security September 2016", @@ -24484,47 +19162,40 @@ }, { "type": "relationship", - "id": "relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd", + "created": "2023-09-29T18:02:52.119Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2023-03-21T13:49:50.583Z", - "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "modified": "2023-09-29T18:02:52.119Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--9f43126d-5f6c-42a9-9908-49175c27ead7", - "created": "2023-03-30T19:27:26.398Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--6795c92f-848f-488e-9c25-d240f99c9b34", + "created": "2023-09-28T21:23:39.333Z", "revoked": false, - "external_references": [ - { - "source_name": "Industroyer2 ESET April 2022", - "description": "ESET. (2022, April 12). Industroyer2: Industroyer reloaded. Retrieved March 30, 2023.", - "url": "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2023-04-05T15:49:13.700Z", - "description": "(Citation: Industroyer2 ESET April 2022)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "modified": "2023-09-28T21:23:39.333Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", "x_mitre_deprecated": false, "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { @@ -24580,18 +19251,25 @@ }, { "type": "relationship", - "id": "relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79", - "created": "2022-05-11T16:22:58.803Z", + "id": "relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666", + "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, + "external_references": [ + { + "source_name": "Jeff Jones May 2018", + "description": "Jeff Jones 2018, May 10 Dragos Releases Details on Suspected Russian Infrastructure Hacking Team ALLANITE Retrieved. 2020/01/03 ", + "url": "https://www.eisac.com/public-news-detail?id=115909" + } + ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T15:10:34.653Z", - "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "modified": "2022-10-12T15:40:28.784Z", + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) utilized spear phishing to gain access into energy sector environments. (Citation: Jeff Jones May 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -24599,23 +19277,3196 @@ }, { "type": "relationship", - "id": "relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459", - "created": "2022-09-23T16:35:17.240Z", + "id": "relationship--67ae8423-c401-4c11-93d3-0454c288d934", + "created": "2023-09-29T16:31:57.421Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:31:57.421Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--67dae594-4239-4756-a0bc-dee75de19e4c", + "created": "2023-09-29T17:07:14.259Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:07:14.259Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--67e11f38-9f68-4989-8de3-da65af52063e", + "created": "2023-03-30T19:24:54.896Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Industroyer2 ESET April 2022", + "description": "ESET. (2022, April 12). Industroyer2: Industroyer reloaded. Retrieved March 30, 2023.", + "url": "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/" + }, + { + "source_name": "Industroyer2 Forescout July 2022", + "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", + "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-06T22:10:14.646Z", + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) has the capability to poll a target device about its connection status, data transfer status, Common Address (CA), Information Object Addresses (IOAs), and IO state values across multiple priority levels.(Citation: Industroyer2 Forescout July 2022)(Citation: Industroyer2 ESET April 2022)", + "relationship_type": "uses", + "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.202Z", + "relationship_type": "mitigates", + "description": "Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--685249f9-e51a-4914-8b7f-09679e04198b", + "created": "2023-09-28T19:49:11.359Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:49:11.359Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--686cbd74-ef49-4e77-9599-21777d3a4738", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.174Z", + "relationship_type": "mitigates", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1", + "created": "2023-09-28T19:39:25.832Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:39:25.832Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6895e54e-3968-41a9-9013-a082cd46fa44", + "created": "2020-05-14T14:40:26.221Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", + "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.", + "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/" + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "CrowdStrike Ryuk January 2019", + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "CrowdStrike Wizard Spider October 2020", + "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.", + "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" + }, + { + "source_name": "Sophos New Ryuk Attack October 2020", + "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.", + "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/" + }, + { + "source_name": "Mandiant FIN12 Oct 2021", + "description": "Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.", + "url": "https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" + }, + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" + }, + { + "source_name": "DFIR Ryuk in 5 Hours October 2020", + "description": "The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.", + "url": "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/" + }, + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-12T14:30:20.653Z", + "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)(Citation: CrowdStrike Wizard Spider October 2020)(Citation: Mandiant FIN12 Oct 2021)", + "relationship_type": "uses", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--68d30c45-766f-48b6-9405-0c969243332b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.214Z", + "relationship_type": "mitigates", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6902da63-3b59-46f3-99e0-6008dd47ab70", + "created": "2022-09-27T15:33:16.221Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T16:34:31.627Z", - "description": "Consult asset management systems which may help with the detection of computer systems or network devices that should not exist on a network.", + "modified": "2022-10-14T16:38:13.560Z", + "description": "Monitor executed commands and arguments related to services specifically designed to accept remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) and [Valid Accounts](https://attack.mitre.org/techniques/T0859) may be used to access a host’s GUI.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "type": "relationship", + "id": "relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:17:44.736Z", + "description": "Monitor ICS automation protocols for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many protocols provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--692324b4-064a-430c-8ffc-7f7acd537778", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Symantec", + "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", + "url": "https://docs.broadcom.com/doc/w32-duqu-11-en" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:10:47.409Z", + "description": "[Duqu](https://attack.mitre.org/software/S0038) downloads additional modules for the collection of data in information repositories, including the Infostealer 2 module that can access data from Windows Shares.(Citation: Symantec)", + "relationship_type": "uses", + "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--692ff921-c74d-40a4-ab31-879aba5f247a", + "created": "2023-09-29T16:42:01.287Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:42:01.287Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.218Z", + "relationship_type": "mitigates", + "description": "Example mitigations could include minimizing its distribution/storage or obfuscating the information (e.g., facility coverterms, codenames). In many cases this information may be necessary to support critical engineering, maintenance, or operational functions, therefore, it may not be feasible to implement.\n", + "source_ref": "course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:36:26.282Z", + "description": "Provide the ability to verify the integrity of controller tasking. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--69cf4015-fae1-47f6-9253-1f99209288a5", + "created": "2023-09-29T16:27:34.964Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:27:34.964Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820", + "created": "2023-09-29T17:44:19.135Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:44:19.135Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6a476f56-2c07-43be-8054-d978ee8eb924", + "created": "2023-09-29T16:42:12.160Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:42:12.160Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908", + "created": "2023-03-30T19:25:53.572Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Industroyer2 Mandiant April 2022", + "description": "Daniel Kapellmann Zafra, Raymond Leong, Chris Sistrunk, Ken Proska, Corey Hildebrandt, Keith Lunden, Nathan Brubaker. (2022, April 25). INDUSTROYER.V2: Old Malware Learns New Tricks. Retrieved March 30, 2023.", + "url": "https://www.mandiant.com/resources/blog/industroyer-v2-old-malware-new-tricks" + }, + { + "source_name": "Industroyer2 Forescout July 2022", + "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", + "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-06T22:10:36.267Z", + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) is capable of sending command messages from the compromised device to target remote stations to open data channels, retrieve the location and values of Information Object Addresses (IOAs), and modify the IO state values through Select Before Operate I/O, Select/Execute, and Invert Default State operations.(Citation: Industroyer2 Mandiant April 2022)(Citation: Industroyer2 Forescout July 2022)", + "relationship_type": "uses", + "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T18:41:05.273Z", + "description": "Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6acf3236-d7e6-416c-90e5-5cf6bd89e01d", + "created": "2023-03-30T14:09:40.255Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T14:09:40.255Z", + "description": "Monitor for device alarms produced when device management passwords are changed, although not all devices will produce such alarms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6ad39b3a-a962-457f-852c-be7fc615e22f", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:23:00.355Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72", + "created": "2023-09-29T16:31:22.789Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:31:22.789Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6b54f354-9059-4366-8077-87360c4db2ab", + "created": "2023-10-02T20:18:20.019Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:18:20.019Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.147Z", + "relationship_type": "mitigates", + "description": "Only authorized personnel should be able to change settings for alarms.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.101Z", + "relationship_type": "mitigates", + "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:44:06.211Z", + "description": "Monitor for changes made to Windows Registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal](https://attack.mitre.org/techniques/T1070) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6baa9172-04e4-416d-a009-668cda23fd5d", + "created": "2021-10-08T15:25:32.143Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T17:13:18.889Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) will store and execute SQL code that will extract and execute Stuxnet from the saved CAB file using xp_cmdshell with the following command: `set @s = master..xp _ cmdshell extrac32 /y +@t+ +@t+x; exec(@s);` (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:40:22.279Z", + "description": "Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee", + "created": "2022-09-29T14:26:04.715Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T14:26:04.715Z", + "description": "Monitor network traffic for hardcoded credential use in protocols that allow unencrypted authentication.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.089Z", + "relationship_type": "mitigates", + "description": "Utilize central storage servers for critical operations where possible (e.g., historians) and keep remote backups. For outstations, use local redundant storage for event recorders. Have backup control system platforms, preferably as hot-standbys to respond immediately to data destruction events. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6bf14e79-3287-4b9e-b222-9d527530df1e", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:57:08.560Z", + "description": "Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows , or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6c15ec9f-2b48-419c-adc1-f989833f6187", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-14T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.224Z", + "relationship_type": "mitigates", + "description": "Install anti-virus software on all workstation and transient assets that may have external access, such as to web, email, or remote file shares.\n", + "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6c31c795-935a-41ad-8db1-d74430f4a553", + "created": "2023-09-29T18:56:59.151Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:56:59.151Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4", + "created": "2023-09-28T20:09:36.756Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:09:36.756Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e", + "created": "2023-09-28T20:08:52.975Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:08:52.975Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.186Z", + "relationship_type": "mitigates", + "description": "All remote services should require strong authentication before providing user access.\n", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6d822f86-5793-403a-b176-5d533f6b81b3", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:19:43.236Z", + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) RAT is distributed through trojanized installers planted on compromised vendor sites. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5", + "created": "2023-03-10T20:35:16.772Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:35:16.772Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.220Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6eaf727c-fec3-4e63-8852-eee27c44d596", + "created": "2022-09-27T15:23:19.486Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:47:06.144Z", + "description": "Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6ed07095-c23a-4676-807f-a544deaeb274", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "McAfee Labs October 2019", + "description": "McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us" + }, + { + "source_name": "SecureWorks September 2019", + "description": "SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:05:35.788Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) sends exfiltrated data from the victims system using HTTPS POST messages sent to the C2 system. (Citation: McAfee Labs October 2019) (Citation: SecureWorks September 2019)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.069Z", + "relationship_type": "mitigates", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf", + "created": "2023-09-29T17:41:50.116Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:41:50.116Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.112Z", + "relationship_type": "mitigates", + "description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6f2ddada-d7df-4788-b5d1-9add185142e0", + "created": "2023-09-28T20:02:57.330Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:02:57.330Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e", + "created": "2023-09-28T21:27:14.172Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:27:14.172Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6f950c91-125b-46a0-aa40-239b4de2306a", + "created": "2023-09-28T21:14:03.305Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:14:03.305Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:01:38.884Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7", + "created": "2023-03-30T19:25:22.673Z", + "revoked": false, + "external_references": [ + { + "source_name": "Industroyer2 Forescout July 2022", + "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", + "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:25:22.673Z", + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) leverages a hardcoded list of remote-station IP addresses to iteratively initiate communications and collect information across multiple priority IEC-104 priority levels.(Citation: Industroyer2 Forescout July 2022)", + "relationship_type": "uses", + "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--70113c21-85f2-4232-8755-233f93864277", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T19:17:12.033Z", + "description": "Monitor processes and command-line arguments to see if critical processes are terminated or stop running. For added context on adversary procedures and background see [Service Stop](https://attack.mitre.org/techniques/T1489).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7041d8e5-3b74-402a-86b3-fd59def80632", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.135Z", + "relationship_type": "mitigates", + "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", + "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "external_references": [ + { + "source_name": "M. Rentschler and H. Heine", + "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", + "url": "https://ieeexplore.ieee.org/document/6505877" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:25:44.864Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) communicates with Triconex controllers using a custom component framework written entirely in Python. The modules that implement the TriStation communication protocol and other supporting components are found in a separate file -- library.zip -- the main script that employs this functionality is compiled into a standalone py2exe Windows executable -- trilog.exe which includes a Python environment. (Citation: DHS CISA February 2019)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--70a9010c-6943-4274-b854-50901c3e5a0e", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:23:29.885Z", + "description": "Monitor for protocol functions related to program download or modification. Program downloads may be observable in ICS automation protocols and remote management protocols.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:29:38.448Z", + "description": "Monitor network traffic for default credential use in protocols that allow unencrypted authentication.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--71422483-33e4-4131-a4ec-40322d91d8a0", + "created": "2019-06-24T17:20:24.258Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Catalin Cimpanu April 2016", + "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", + "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" + }, + { + "source_name": "Symantec June 2015", + "description": "Symantec 2015, June 30 Simple steps to protect yourself from the Conficker Worm Retrieved. 2019/12/05 ", + "url": "https://support.symantec.com/us/en/article.tech93179.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-17T15:38:28.233Z", + "description": "[Conficker](https://attack.mitre.org/software/S0608) exploits Windows drive shares. Once it has infected a computer, [Conficker](https://attack.mitre.org/software/S0608) automatically copies itself to all visible open drive shares on other computers inside the network. (Citation: Symantec June 2015) Nuclear power plant officials suspect someone brought in [Conficker](https://attack.mitre.org/software/S0608) by accident on a USB thumb drive, either from home or computers found in the power plant's facility. (Citation: Catalin Cimpanu April 2016)", + "relationship_type": "uses", + "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977", + "created": "2023-09-28T19:55:37.459Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:55:37.459Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--71c81024-ea36-4853-940a-cd9d4cbcabed", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos December 2017", + "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", + "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:05:39.957Z", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment. (Citation: Dragos December 2017)", + "relationship_type": "uses", + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.228Z", + "relationship_type": "mitigates", + "description": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.\n", + "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T16:44:01.639Z", + "description": "To protect against AiTM, authentication mechanisms should not send credentials across the network in plaintext and should also implement mechanisms to prevent replay attacks (such as nonces or timestamps). Challenge-response based authentication techniques that do not directly send credentials over the network provide better protection from AiTM.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7258c355-677c-452d-b1fc-27767232437b", + "created": "2019-03-26T16:19:52.358Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "David Voreacos, Katherine Chinglinsky, Riley Griffin December 2019", + "description": "David Voreacos, Katherine Chinglinsky, Riley Griffin 2019, December 03 Merck Cyberattacks $1.3 Billion Question: Was It an Act of War? Retrieved. 2019/12/06 ", + "url": "https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:59:02.909Z", + "description": "[NotPetya](https://attack.mitre.org/software/S0368) disrupted manufacturing facilities supplying vaccines, resulting in a halt of production and the inability to meet demand for specific vaccines. (Citation: David Voreacos, Katherine Chinglinsky, Riley Griffin December 2019)", + "relationship_type": "uses", + "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--72bfda0b-31e9-4958-8d40-6efe816d9989", + "created": "2022-09-27T15:32:03.332Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:33:47.681Z", + "description": "Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--730580d4-d68c-407f-9d09-f379e9aefc7e", + "created": "2023-03-30T19:25:41.475Z", + "revoked": false, + "external_references": [ + { + "source_name": "Industroyer2 Forescout July 2022", + "description": "Forescout. (2022, July 14). Industroyer2 and INCONTROLLER In-depth Technical Analysis of the Most Recent ICS-specific Malware. Retrieved March 30, 2023.", + "url": "https://www.forescout.com/resources/industroyer2-and-incontroller-report/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:25:41.475Z", + "description": "[Industroyer2](https://attack.mitre.org/software/S1072) uses a General Interrogation command to monitor the device’s Information Object Addresses (IOAs) and their IO state values.(Citation: Industroyer2 Forescout July 2022)", + "relationship_type": "uses", + "source_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--73093c08-ea39-4956-8bff-55e15f6630cd", + "created": "2023-09-28T20:07:59.785Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:07:59.785Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos", + "description": "Dragos Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 Magnallium Retrieved. 2019/10/27 ", + "url": "https://dragos.com/resource/magnallium/" + }, + { + "source_name": "Symantec March 2019", + "description": "Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 ", + "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:42:15.944Z", + "description": "[APT33](https://attack.mitre.org/groups/G0064) utilized PowerShell scripts to establish command and control and install files for execution. (Citation: Symantec March 2019) (Citation: Dragos)", + "relationship_type": "uses", + "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--73a48431-3597-4a72-acb8-c1e5019073e2", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Twitter ItsReallyNick Masquerading Update", + "description": "Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.", + "url": "https://twitter.com/ItsReallyNick/status/1055321652777619457" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:41:24.266Z", + "description": "Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.(Citation: Twitter ItsReallyNick Masquerading Update)", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--740082b7-2411-473a-a59d-4d46cf12f8b5", + "created": "2023-09-29T18:45:01.516Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:45:01.516Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7411b05d-209a-4907-83ce-00ab1538fbac", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.084Z", + "relationship_type": "mitigates", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "external_references": [ + { + "source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", + "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7", + "created": "2023-09-29T17:57:23.090Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:57:23.090Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "MDudek-ICS", + "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", + "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:26:26.552Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed. (Citation: MDudek-ICS)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--74ec9ce5-3155-488c-ae56-570c47a1d207", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T12:45:26.506Z", + "modified": "2022-05-06T17:47:24.194Z", + "relationship_type": "mitigates", + "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "external_references": [ + { + "source_name": "D. Parsons and D. Wylie September 2019", + "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", + "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" + }, + { + "source_name": "Colin Gray", + "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", + "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" + }, + { + "source_name": "Josh Rinaldi April 2016", + "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", + "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" + }, + { + "source_name": "Aditya K Sood July 2019", + "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", + "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" + }, + { + "source_name": "Langner November 2018", + "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", + "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.080Z", + "relationship_type": "mitigates", + "description": "Execution prevention may block malicious software from accessing protected resources through the command line interface.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--754521fc-4306-4daa-831b-6b6fb45847e2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.108Z", + "relationship_type": "mitigates", + "description": "All APIs used to perform execution, especially those hosted on embedded controllers (e.g., PLCs), should provide adequate authorization enforcement of user access. Minimize user's access to only required API calls. (Citation: MITRE June 2020)\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "external_references": [ + { + "source_name": "MITRE June 2020", + "description": "MITRE 2020, June CWE CATEGORY: 7PK - API Abuse Retrieved. 2020/09/25 ", + "url": "https://cwe.mitre.org/data/definitions/227.html" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--7584e57f-1258-4c47-b18d-99019a586e6c", + "created": "2023-09-28T21:16:35.382Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:16:35.382Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--758773e3-d23d-44db-b5d3-643cde5b41f1", + "created": "2023-09-28T19:45:07.511Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:45:07.511Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--758d5818-f919-4a6b-9dc2-a212595a11bd", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:49:30.320Z", + "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--75a60046-c4d7-498a-b256-9a93b5992dcc", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:55:46.014Z", + "description": "Monitor for unusual processes with internal network connections creating files on-system which may be suspicious. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48", + "created": "2023-09-29T17:06:33.098Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:06:33.098Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--75e6adae-06a7-47e9-878e-74ca73004c3b", + "created": "2023-09-28T20:30:01.641Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:30:01.641Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--76537fd7-5782-4a8d-9b54-117b168a4306", + "created": "2023-09-29T16:38:51.155Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:38:51.155Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:36:51.486Z", + "description": "Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware. For added context on adversary procedures and background see [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--77566f94-5e26-41c9-892f-2f62b395afe7", + "created": "2023-09-28T20:01:43.057Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:01:43.057Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--77821dbb-367e-455f-bcae-b87412e88f1b", + "created": "2022-09-26T16:56:53.939Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:56:53.940Z", + "description": "Monitor asset management systems for device configuration changes which can be used to understand expected parameter settings.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--77f3a64d-227d-487f-8484-89007e05b59f", + "created": "2023-09-28T21:16:14.153Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:16:14.153Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--78881a3d-59ad-4fbb-8bd2-69388a068584", + "created": "2023-09-29T18:01:45.518Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:01:45.518Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631", + "created": "2023-09-28T21:09:33.225Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:09:33.225Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--78972893-5d8c-480f-a05d-481adc0c8bb0", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:12:25.316Z", + "description": "Monitor ICS automation network protocols for functions related to reading an asset’s operating mode. In some cases, there may be multiple ways to detect a device’s operating mode, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7912946d-1605-465a-a55c-36bb104235ab", + "created": "2022-09-27T16:08:53.157Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:08:53.157Z", + "description": "Monitor device alarms that indicate the program has changed, although not all devices produce such alarms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--792324b4-064a-430c-8ffc-7f7acd537778", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Symantec", + "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", + "url": "https://docs.broadcom.com/doc/w32-duqu-11-en" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:44:27.955Z", + "description": "[Duqu](https://attack.mitre.org/software/S0038)'s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party.(Citation: Symantec)", + "relationship_type": "uses", + "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--79235599-e23f-43cb-9c56-1eb22b7c4664", + "created": "2023-09-29T16:38:38.201Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:38:38.201Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--79324bdd-cdab-4d0a-af60-af1047c1d117", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:25:35.287Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--79407d1e-8e16-48c1-939c-ad92f91dd988", + "created": "2023-09-29T16:30:19.141Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:30:19.141Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--798919d3-df8b-463f-b2be-4c1aa8089384", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-14T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.226Z", + "relationship_type": "mitigates", + "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "external_references": [ + { + "source_name": "North America Transmission Forum December 2019", + "description": "North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ", + "url": "https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--798de2f3-218b-4622-a62c-84e3840d45a6", + "created": "2023-09-29T18:00:10.845Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:00:10.845Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19", + "created": "2023-09-29T16:32:22.510Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:32:22.510Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--79d05cb2-ded0-4847-b52e-af7af421f303", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Kevin Savage and Branko Spasojevic", + "description": "Kevin Savage and Branko Spasojevic W32.Flamer Retrieved. 2019/11/03 ", + "url": "https://web.archive.org/web/20190930124504/https://www.symantec.com/security-center/writeup/2012-052811-0308-99" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:50:07.974Z", + "description": "[Flame](https://attack.mitre.org/software/S0143) can collect AutoCAD design data and visio diagrams as well as other documents that may contain operational information. (Citation: Kevin Savage and Branko Spasojevic)", + "relationship_type": "uses", + "source_ref": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:46:05.831Z", + "description": "Monitor for newly constructed web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe). ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Hydro", + "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", + "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" + }, + { + "source_name": "Kevin Beaumont", + "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", + "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:56:48.612Z", + "description": "Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0372) infection. This resulted in a loss of view which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)", + "relationship_type": "uses", + "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978", + "created": "2022-09-26T14:29:33.111Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:29:33.111Z", + "description": "Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.157Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0", + "created": "2023-09-29T16:33:23.456Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:33:23.456Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780", + "created": "2023-09-28T19:45:42.727Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:45:42.727Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b", + "created": "2023-09-29T17:39:54.089Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:39:54.089Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7bb1dbec-7314-479a-9496-86f8e25041eb", + "created": "2023-09-29T16:40:43.415Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:40:43.416Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07", + "created": "2023-09-29T18:49:01.768Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:49:01.768Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84", + "created": "2023-09-28T20:07:15.553Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:07:15.553Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07", + "created": "2023-03-31T17:45:32.860Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-07T16:12:03.917Z", + "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized VBS and batch scripts for file movement and as wrappers for PowerShell execution.(Citation: Dragos Crashoverride 2018)", + "relationship_type": "uses", + "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea", + "created": "2023-09-28T20:07:01.309Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:07:01.309Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.084Z", + "relationship_type": "mitigates", + "description": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques likeDomain Fronting.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c", + "created": "2022-09-29T01:37:13.671Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + }, + { + "source_name": "Brubaker-Incontroller", + "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.441Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to download programs to Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.080Z", + "relationship_type": "mitigates", + "description": "Consider removing or restricting features that are unnecessary to an asset's intended function within the control environment.\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd", + "created": "2022-09-27T15:27:00.387Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:27:00.387Z", + "description": "Networking devices such as switches may log when new client devices connect (e.g., SNMP notifications). Monitor for any logs documenting changes to network connection status to determine when a new connection has occurred, including the resulting addresses (e.g., IP, MAC) of devices on that network.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7c329018-b591-42c4-8806-4d02ccd47476", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:55:36.262Z", + "description": "Monitor executed commands and arguments for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:26:34.069Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) toggles breakers to the open state utilizing unauthorized command messages. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23", + "created": "2023-09-29T18:48:29.126Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:48:29.126Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95", + "created": "2022-09-27T17:22:27.241Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:54:23.870Z", + "description": "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7c893581-c847-495a-aa93-9d98c516e1ae", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:13:43.688Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603)'s infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.072Z", + "relationship_type": "mitigates", + "description": "Ensure devices have an alternative method for communicating in the event that a valid COM port is unavailable.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--7d2db896-3051-483c-bc53-ca21832ee085", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:47:23.983Z", + "description": "Monitor network traffic for suspicious email attachments. Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Use web proxies to review content of emails including sender information, headers, and attachments for potentially malicious content.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:39:20.443Z", + "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7d42ba22-9595-4463-8dda-c0e47a154fed", + "created": "2023-09-28T20:07:48.301Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:07:48.301Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7d5759cd-890e-4ec5-b92b-aba225d52960", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:49:40.767Z", + "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:14:40.227Z", + "description": "Monitor executed commands and arguments to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may then perform these actions using [Valid Accounts](https://attack.mitre.org/techniques/T0859).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:29:53.545Z", + "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7d752615-33f0-44ed-a156-25d84f384e75", + "created": "2023-09-27T14:57:11.627Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.261Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), power company phone line operators were hit with a denial of service attack so that they couldn’t field customers’ calls about outages. Operators were also denied service to their downstream devices when their serial-to-ethernet converters had their firmware overwritten, which bricked the devices. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:54:12.966Z", + "description": "Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. For added context on adversary procedures and background see [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) and [System Network Connections Discovery](https://attack.mitre.org/techniques/T1049).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7db9687b-7099-4cb6-a040-bc32fc549a81", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.195Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7dedeb73-ef90-4282-a635-cc37326773af", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.083Z", + "relationship_type": "mitigates", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "external_references": [ + { + "source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", + "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--7e87ce08-a428-4e55-876e-80d2760121a5", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:37:35.099Z", + "description": "Monitor executed commands and arguments for actions that could be taken to collect internal data.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858", + "created": "2023-09-29T16:32:46.335Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:32:46.335Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706", + "created": "2023-09-28T20:28:16.122Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:28:16.122Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7", + "created": "2023-09-29T17:43:22.756Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:43:22.756Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T18:40:55.168Z", + "description": "Monitor for application logging, messaging, and/or other artifacts that may result from Denial of Service (DoS) attacks which degrade or block the availability of services to users. In addition to network level detections, endpoint logging and instrumentation can be useful for detection.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3", + "created": "2022-09-26T15:24:07.122Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:24:07.122Z", + "description": "Monitor asset application logs which may provide information about requests for points or tags. Look for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many devices provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.071Z", + "relationship_type": "mitigates", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.152Z", + "relationship_type": "mitigates", + "description": "Limit privileges of user accounts and groups so that only designated administrators or engineers can interact with alarm management and alarm configuration thresholds.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.114Z", + "relationship_type": "mitigates", + "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", + "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "external_references": [ + { + "source_name": "Dan Goodin March 2017", + "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", + "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T16:43:45.457Z", + "description": "Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.098Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--80a69b56-337d-446a-8167-8b9f63083c4f", + "created": "2022-09-28T21:24:21.810Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.442Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) includes a library that creates Modbus connections with a device to request its device ID.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--81055366-e78b-40e0-a799-4b536ba03db3", + "created": "2023-09-29T18:45:22.474Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:45:22.474Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--81117328-e2bb-431c-a1ca-6ba7e6816637", + "created": "2022-09-26T16:25:38.511Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:25:38.511Z", + "description": "Consult asset management systems to understand expected program versions.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6", + "created": "2023-09-28T20:11:42.579Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:11:42.579Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--81806f43-c9aa-486e-8032-4e4665ba0d39", + "created": "2023-09-29T18:43:13.760Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:43:13.760Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32", + "created": "2023-09-28T21:13:00.330Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:13:00.330Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--81add433-49d8-43ec-85d5-f48fe80e56e7", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:44:21.000Z", + "description": "Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--81ca994a-b350-424d-8f39-a0b64aa76260", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.204Z", + "relationship_type": "mitigates", + "description": "Users can be trained to identify social engineering techniques and spearphishing emails.\n", + "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--82b20c35-88c6-49aa-8241-a59512b17b74", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + }, + { + "source_name": "Langer Stuxnet", + "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.", + "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-17T16:00:35.053Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened. (Citation: Langer Stuxnet)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:42:35.018Z", + "description": "Monitor Windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal](https://attack.mitre.org/techniques/T1070) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--83a964cb-730c-44e4-859b-b5246159396b", + "created": "2023-09-29T17:59:43.275Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:59:43.275Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--83c29179-4805-403a-acf5-5151c4d2e556", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:27:02.814Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s OPC and IEC 61850 protocol modules include the ability to send stVal requests to read the status of operational variables. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "type": "relationship", "id": "relationship--83c8c216-7ff7-4bd3-9db4-573469628d95", @@ -24632,35 +22483,7168 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-23T18:48:43.457Z", - "description": "The [Industroyer](https://attack.mitre.org/software/S0604) SPIROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SPIROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission. (Citation: Joe Slowik August 2019)", + "modified": "2023-09-25T14:53:48.947Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SIPROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission. (Citation: Joe Slowik August 2019)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_deprecated": false, "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:32:52.932Z", + "description": "Monitor for newly constructed drive letters or mount points to removable media.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--21134484-2d59-46b7-b878-527121fff1e3", - "created": "2022-09-26T14:28:17.209Z", + "id": "relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:49:11.920Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.187Z", + "relationship_type": "mitigates", + "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--84671396-a556-4a5d-9bb9-cac697277371", + "created": "2023-09-29T16:31:12.255Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T14:28:17.209Z", - "description": "Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.", + "modified": "2023-09-29T16:31:12.255Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65", + "created": "2023-09-28T21:11:15.610Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:11:15.610Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--84fa50ff-bb84-4ab6-b759-658c57532c42", + "created": "2023-09-29T16:32:09.319Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:32:09.319Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7", + "created": "2023-09-29T18:01:32.878Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:01:32.878Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75", + "created": "2023-09-29T17:59:22.291Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:59:22.291Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--868db512-b897-4a54-ae56-ac78f6c93a14", + "created": "2022-09-28T20:29:18.027Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.443Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use a Telnet session to load a malware implant on Omron PLCs.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc", + "created": "2023-09-28T19:58:13.866Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:58:13.866Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:01:39.537Z", + "description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--86c94552-de59-453d-ac06-28a6a64db930", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:47:46.836Z", + "description": "Monitor device application logs which may contain information related to operating mode changes, although not all devices produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.166Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c", + "created": "2023-09-28T21:09:41.659Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:09:41.659Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:18:43.413Z", + "description": "Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--86f1655a-db46-4d49-9051-6653da83eb13", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:13:57.066Z", + "description": "Protect files with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--874752f4-59a2-46e9-ae28-befe0142b223", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-30T14:37:52.169Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a hardcoded password in the WinCC software's database server as one of the mechanisms used to propagate to nearby systems. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--87c8ab74-576d-4962-b641-0762d374d1e8", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:49:35.368Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. While the vulnerability does not directly cause the restart or shutdown of the device, the device must be restarted manually before it can resume operations. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--87eb5825-c918-444f-8da5-67da9eea9906", + "created": "2022-09-26T17:14:52.427Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:14:52.427Z", + "description": "Monitor device application logs for firmware changes, although not all devices will produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "type": "relationship", + "id": "relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:10:18.233Z", + "description": "Some asset application logs may provide information on I/O points related to write commands. Monitor for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce", + "created": "2022-09-27T15:25:50.596Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:49:19.854Z", + "description": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2", + "created": "2023-09-28T21:24:07.864Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:24:07.864Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--892c0bff-17b6-447b-a213-6a3189a1df82", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:51:45.844Z", + "description": "Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--897cfc36-4253-4e1e-8825-726dbe9088a2", + "created": "2023-09-28T19:55:02.944Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:55:02.944Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T18:41:09.265Z", + "description": "Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd", + "created": "2021-10-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T17:31:56.055Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects DLL's associated with the WinCC Simatic manager which are responsible for opening project files. If a user opens an uninfected project file using a compromised manager, the file will be infected with Stuxnet code. If an infected project is opened with the Simatic manager, the modified data file will trigger a search for the `xyz.dll` file. If the `xyz.dll` file is not found in any of the specified locations, the malicious DLL will be loaded and executed by the manager. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8a07f92e-9384-4967-9cd9-ffa08a0e55bf", + "created": "2023-03-30T19:01:40.038Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:01:40.038Z", + "description": "Monitor for any suspicious attempts to enable scripts running on a system. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:49:59.817Z", + "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108", + "created": "2023-09-29T16:42:43.736Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:42:43.736Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62", + "created": "2023-09-27T14:50:09.612Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-27T15:25:53.307Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) moved their tools laterally within the ICS network. (Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c", + "created": "2022-09-26T16:50:56.298Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:50:56.298Z", + "description": "Monitor for a loss of network communications, which may indicate a device has been shutdown or restarted. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:32:18.214Z", + "description": "Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Asset management systems should be consulted to understand known-good firmware versions and configurations.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", + "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8b17ad46-b0cc-4766-9cae-eba32260d468", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.135Z", + "relationship_type": "mitigates", + "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "MDudek-ICS", + "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", + "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:27:15.545Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) uses TriStations default UDP port, 1502, to communicate with devices. (Citation: MDudek-ICS)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8b491011-322d-4e0b-8f79-449e1b2ee185", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:55:26.030Z", + "description": "Monitor newly constructed processes that assist in lateral tool transfers, such as file transfer programs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f", + "created": "2023-09-27T14:49:29.987Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + }, + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.263Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) scheduled the uninterruptable power supplies (UPS) to shutdown data and telephone servers via the UPS management interface. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:08:06.789Z", + "description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4", + "created": "2023-10-02T20:21:16.665Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:21:16.665Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:59:36.071Z", + "description": "Monitor for unexpected deletion of files.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.101Z", + "relationship_type": "mitigates", + "description": "Ensure remote commands that enable device shutdown are disabled if they are not necessary. Examples include DNP3's 0x0D function code or unnecessary device management functions.\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95", + "created": "2023-09-28T20:31:46.082Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:31:46.082Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91", + "created": "2023-09-27T14:49:48.589Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.264Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized HMI GUIs in the SCADA environment to open breakers. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7", + "created": "2023-09-28T21:25:20.417Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:25:20.417Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8da928a0-1c87-471f-aad7-5a1fdd438357", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:44:43.674Z", + "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash, which may be recorded in the application log.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:52:31.059Z", + "description": "Device restarts and shutdowns may be observable in device application logs. Monitor for unexpected device restarts or shutdowns.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.139Z", + "relationship_type": "mitigates", + "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", + "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "external_references": [ + { + "source_name": "M. Rentschler and H. Heine", + "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", + "url": "https://ieeexplore.ieee.org/document/6505877" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b", + "created": "2023-09-29T17:05:44.653Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:05:44.653Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8f0fa80a-7f8c-4c54-9277-a6f69bafd6af", + "created": "2023-03-30T19:04:30.392Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:04:30.392Z", + "description": "Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:20:08.002Z", + "description": "Using OPC, a component of [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) gathers any details about connected devices and sends them back to the C2 for the attackers to analyze. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8", + "created": "2023-03-30T19:00:57.773Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:00:57.773Z", + "description": "Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8f90363e-2825-4178-807f-9268a28760fa", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.195Z", + "relationship_type": "mitigates", + "description": "Enforce system policies or physical restrictions to limit hardware such as USB devices on critical assets.\n", + "source_ref": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8f947e00-2579-4120-a8b0-d466e59fac1a", + "created": "2023-09-28T19:49:25.824Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:49:25.824Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.120Z", + "relationship_type": "mitigates", + "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", + "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "external_references": [ + { + "source_name": "Dan Goodin March 2017", + "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", + "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8fcecf74-36df-41ab-9476-539c9ac0b339", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.179Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb", + "created": "2023-09-29T17:04:17.682Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:04:17.682Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6", + "created": "2023-09-28T20:04:44.041Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:04:44.041Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654", + "created": "2021-04-12T10:12:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + }, + { + "source_name": "ICS-CERT August 2018", + "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", + "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:22:33.586Z", + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--910bada1-c923-4009-a9ea-da257072f168", + "created": "2023-09-29T16:29:27.902Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:29:27.902Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--91f29477-2ff6-4dbf-bf68-c8825a938851", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T12:08:26.506Z", + "modified": "2022-05-06T17:47:24.119Z", + "relationship_type": "mitigates", + "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--92634d06-42e5-407f-bcb7-cafb1ddeafce", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos December 2017", + "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", + "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:06:08.814Z", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) used valid credentials when laterally moving through RDP jump boxes into the ICS environment. (Citation: Dragos December 2017)", + "relationship_type": "uses", + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.130Z", + "relationship_type": "mitigates", + "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to remove indicators of their activity on the system. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--92ea1c2a-3835-43de-bb56-24e937a6f322", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:31:12.226Z", + "description": "Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (e.g., JScript.dll, vbscript.dll).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e", + "created": "2023-09-29T17:38:40.536Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:38:40.536Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--93c336f2-7e7c-4c79-af16-faae03e66121", + "created": "2023-09-29T18:44:09.293Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:44:09.293Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:27:42.104Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) is able to read, write and execute code in memory on the safety controller at an arbitrary address within the devices firmware region. This allows the malware to make changes to the running firmware in memory and modify how the device operates. (Citation: DHS CISA February 2019)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--943a9a5c-7826-451d-ac73-34353ea40595", + "created": "2023-09-29T16:33:36.496Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:33:36.496Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--94654460-b115-4056-beb1-e982ed33437b", + "created": "2023-03-30T18:59:46.674Z", + "revoked": false, + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T18:59:46.674Z", + "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from the local system. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--949b498c-ca3f-4704-90bd-a22a4d34067f", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:37:55.042Z", + "description": "Monitor for loss of operational process data which could indicate alarms are being suppressed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e", + "created": "2022-09-27T15:48:55.986Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:48:55.986Z", + "description": "Monitor device alarms that indicate controller task parameters have changed, although not all devices produce such alarms.\n \n[Program Download](https://attack.mitre.org/techniques/T0843) may be used to enable this technique. Monitor for program downloads which may be noticeable via operational alarms. Asset management systems should be consulted to understand expected program versions.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:02:12.812Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) copies itself to various Program Organization Units (POU) on the target device. The POUs include the Data Block, Function, and Function Block. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d", + "created": "2023-09-28T20:17:07.288Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:17:07.288Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--966b59c0-8641-432c-84f7-b2a712004d74", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:52:41.680Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.112Z", + "relationship_type": "mitigates", + "description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n", + "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8", + "created": "2023-09-28T20:25:30.229Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:25:30.229Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--973f5884-a076-413e-ac96-f0bd01375fb6", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:47:35.796Z", + "description": "Utilize code signatures to verify the integrity and authenticity of programs installed on safety or control assets, including the associated controller tasking.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--97538255-b049-4d15-91c4-6b227cbea476", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:16:09.542Z", + "description": "Data about the industrial process may indicate it is operating outside of expected bounds and could help indicate that that an alarm setting has changed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--97641754-f215-4b8f-b0cd-0d3142053c76", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "McAfee CHIPSEC Blog", + "description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.", + "url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/" + }, + { + "source_name": "MITRE Copernicus", + "description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.", + "url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about" + }, + { + "source_name": "Intel HackingTeam UEFI Rootkit", + "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017.", + "url": "http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html" + }, + { + "source_name": "Github CHIPSEC", + "description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.", + "url": "https://github.com/chipsec/chipsec" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:48:56.024Z", + "description": "Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--97756c8a-b702-472b-8d67-15464a73093e", + "created": "2023-09-27T14:56:28.962Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + }, + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.265Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [KillDisk](https://attack.mitre.org/software/S0607) rendered devices that were necessary for remote recovery unusable, including at least one RTU. Additionally, [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the firmware for serial-to-ethernet converters, denying operators control of the downstream devices. (Citation: Booz Allen Hamilton)(Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.115Z", + "relationship_type": "mitigates", + "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:59:40.539Z", + "description": "Monitor device application logs parameter changes, although not all devices will produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1", + "created": "2023-09-29T16:40:54.250Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:40:54.250Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e", + "created": "2023-09-29T16:41:32.631Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:41:32.631Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319", + "created": "2023-09-29T18:47:52.800Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:47:52.800Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.172Z", + "relationship_type": "mitigates", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--98b229f8-6020-4fbb-b104-54fd478c14d9", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:29:49.652Z", + "description": "Monitor logon sessions for default credential use.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.127Z", + "relationship_type": "mitigates", + "description": "Set and enforce secure password policies for accounts.\n", + "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:53:25.280Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of control. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--990f944f-190d-456d-b194-f5ecb17a0868", + "created": "2019-06-24T17:20:24.258Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Catalin Cimpanu April 2016", + "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", + "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:40:11.392Z", + "description": "A [Conficker](https://attack.mitre.org/software/S0608) infection at a nuclear power plant forced the facility to temporarily shutdown. (Citation: Catalin Cimpanu April 2016)", + "relationship_type": "uses", + "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", + "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134", + "created": "2023-09-29T18:03:23.576Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:03:23.576Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--99c0c90e-8526-41d6-80ca-b037598c6326", + "created": "2022-09-26T19:37:35.412Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:36:13.269Z", + "description": "Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--99ec0a8e-4a4f-427c-89db-163e4b206021", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.094Z", + "relationship_type": "mitigates", + "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", + "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "external_references": [ + { + "source_name": "M. Rentschler and H. Heine", + "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", + "url": "https://ieeexplore.ieee.org/document/6505877" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f", + "created": "2023-09-28T19:56:54.642Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:56:54.642Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--99fa6d92-0c41-44ed-bd30-dd0413785883", + "created": "2023-09-29T18:43:23.321Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:43:23.321Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf", + "created": "2023-09-28T20:04:32.626Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:04:32.626Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.075Z", + "relationship_type": "mitigates", + "description": "Allow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.203Z", + "relationship_type": "mitigates", + "description": "Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--9ad74496-e164-4068-a0f5-379f507ba864", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:47:23.576Z", + "description": "Monitor for logon behavior that may abuse credentials of existing accounts as a means of gaining Lateral Movement or Persistence. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8", + "created": "2023-09-29T18:58:05.958Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:58:05.958Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.232Z", + "relationship_type": "mitigates", + "description": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining access to valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.\n", + "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Xenotime 2018", + "description": "Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.", + "url": "https://dragos.com/resource/xenotime/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-11-23T21:06:25.384Z", + "description": "(Citation: Dragos Xenotime 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.0.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875", + "created": "2023-09-28T19:37:35.485Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:37:35.485Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1", + "created": "2023-09-28T20:11:52.625Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:11:52.625Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5", + "created": "2023-09-28T19:59:44.009Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:59:44.009Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.203Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--9cf83701-a347-47b4-a67b-280df95b275d", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:41:05.460Z", + "description": "Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f", + "created": "2022-09-27T18:40:11.818Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:12:41.739Z", + "description": "In the case of detecting collection from shared network drives monitor for unexpected and abnormal accesses to network shares. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:34:07.441Z", + "description": "Alterations to the service binary path or the service startup type changed to disabled may be suspicious.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:53:56.368Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9d75333b-2542-4899-923f-55dc1e077a51", + "created": "2022-09-27T16:03:41.224Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:45:52.592Z", + "description": "Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning PowerShell).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3", + "created": "2022-09-26T14:44:05.557Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:49:44.728Z", + "description": "Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9db1ecfe-72eb-42da-a09e-746663a53854", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "MDudek-ICS", + "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", + "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T20:46:03.389Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py.(Citation: MDudek-ICS)\n\n[Triton](https://attack.mitre.org/software/S1009) contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py.(Citation: MDudek-ICS)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9e0810a5-ad02-487f-b0a8-bf07decca493", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:07:52.455Z", + "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:00:56.539Z", + "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500", + "created": "2023-09-29T18:07:28.902Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:07:28.902Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42", + "created": "2021-01-04T21:30:14.830Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + }, + { + "source_name": "Dragos Crashoverride 2017", + "description": "Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.", + "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" + }, + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + }, + { + "source_name": "Secureworks IRON VIKING", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:46:32.756Z", + "description": "(Citation: Dragos Crashoverride 2018)(Citation: Dragos Crashoverride 2017)(Citation: ESET Industroyer)(Citation: Secureworks IRON VIKING)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5", + "created": "2022-09-27T16:38:57.931Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:38:57.931Z", + "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9f2926a2-596f-459e-827e-6fe2d4646efd", + "created": "2023-09-29T18:06:46.756Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:06:46.756Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9f43126d-5f6c-42a9-9908-49175c27ead7", + "created": "2023-03-30T19:27:26.398Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Industroyer2 ESET April 2022", + "description": "ESET. (2022, April 12). Industroyer2: Industroyer reloaded. Retrieved March 30, 2023.", + "url": "https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-05T15:49:13.700Z", + "description": "(Citation: Industroyer2 ESET April 2022)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3", + "created": "2023-09-28T21:12:14.470Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:12:14.470Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:54:30.385Z", + "description": "Using its protocol payloads, [Industroyer](https://attack.mitre.org/software/S0604) sends unauthorized commands to RTUs to change the state of equipment. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9fb8c8ab-67de-42df-a82d-b6e45b82d949", + "created": "2023-09-27T14:48:40.533Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.265Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked reporting messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47", + "created": "2023-09-28T20:04:19.147Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:04:19.147Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:40:06.988Z", + "description": "Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a04169ed-c16b-466b-80ef-22a11067f475", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:54:58.401Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of view. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.069Z", + "relationship_type": "mitigates", + "description": "Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC).\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.233Z", + "relationship_type": "mitigates", + "description": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: CISA June 2013)\n", + "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "external_references": [ + { + "source_name": "CISA June 2013", + "description": "CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--a1454196-0d86-49f2-8dcb-61145a16b21e", + "created": "2022-09-26T20:36:04.428Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:33:05.248Z", + "description": "Monitor for files accessed on removable media, particularly those with executable content.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a15d718f-af30-4745-a837-887ba8f48727", + "created": "2023-09-29T16:30:46.705Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:30:46.705Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Inc. June 2017", + "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", + "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:55:26.032Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files. (Citation: Dragos Inc. June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476", + "created": "2023-09-29T16:43:16.472Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:43:16.472Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3", + "created": "2023-09-29T16:28:17.629Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:28:17.629Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a2142552-6b8d-4751-a3d4-1471420c02fc", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:15:48.476Z", + "description": "Monitor for newly constructed network connections into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. Monitor network connections involving common remote management protocols, such as ports tcp:3283 and tcp:5900, as well as ports tcp:3389 and tcp:22 for remote logins. The adversary may use [Valid Accounts](https://attack.mitre.org/techniques/T0859) to enable remote logins.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039", + "created": "2023-09-28T21:16:05.517Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:16:05.517Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a22fabd2-836e-4141-9219-c76cc10138ec", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.100Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b", + "created": "2023-09-29T16:44:03.912Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:44:03.912Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d", + "created": "2023-09-29T18:04:05.993Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:04:05.993Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:50:54.867Z", + "description": "On Windows and Unix systems monitor executed commands and arguments that may use shell commands for execution. Shells may be common on administrator, developer, or power user systems depending on job function.\n\nOn network device and embedded system CLIs consider reviewing command history if unauthorized or suspicious commands were used to modify device configuration.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9", + "created": "2023-09-29T16:36:28.818Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:36:28.818Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7", + "created": "2023-09-29T16:39:54.248Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:39:54.248Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a45cec05-2d81-4db1-9267-db8be498e0d2", + "created": "2023-09-29T16:46:50.699Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:46:50.699Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac", + "created": "2023-09-29T17:40:58.726Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:40:58.726Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63", + "created": "2023-09-29T17:57:44.978Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:57:44.978Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET Research Whitepapers September 2018", + "description": "ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" + }, + { + "source_name": "Intel", + "description": "Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ", + "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf" + }, + { + "source_name": "N/A", + "description": "N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ", + "url": "https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:20:11.016Z", + "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A) Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018) Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5", + "created": "2023-09-29T17:40:08.922Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:40:08.922Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:02:30.876Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) stops the execution of the user program on the target to enable the transfer of its own code. The worm then copies itself to the target and subsequently starts the target PLC again. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf", + "created": "2023-09-27T14:45:26.126Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + }, + { + "source_name": "Charles McLellan March 2016", + "description": "Charles McLellan. (2016, March 4). How hackers attacked Ukraine's power grid: Implications for Industrial IoT security. Retrieved September 27, 2023.", + "url": "https://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-27T15:28:24.006Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) remotely discovered operational assets once on the OT network. (Citation: Charles McLellan March 2016) (Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:14:57.034Z", + "description": "Monitor for alarm setting changes observable in automation or management network protocols.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a6479493-6154-408f-90df-9d2f3ae352d1", + "created": "2023-03-31T17:46:01.470Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-07T17:06:53.070Z", + "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) used valid accounts to laterally move through VPN connections and dual-homed systems.(Citation: Dragos Crashoverride 2018)", + "relationship_type": "uses", + "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28", + "created": "2021-04-13T12:28:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Davey Winder June 2020", + "description": "Davey Winder 2020, June 10 Honda Hacked: Japanese Car Giant Confirms Cyber Attack On Global Operations Retrieved. 2021/04/12 ", + "url": "https://www.forbes.com/sites/daveywinder/2020/06/10/honda-hacked-japanese-car-giant-confirms-cyber-attack-on-global-operations-snake-ransomware/?sh=2725c35753ad" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:47:16.775Z", + "description": "[EKANS](https://attack.mitre.org/software/S0605) infection resulted in a temporary production loss within a Honda manufacturing plant. (Citation: Davey Winder June 2020)", + "relationship_type": "uses", + "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T20:13:05.134Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7", + "created": "2023-09-29T17:05:56.185Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:05:56.185Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927", + "created": "2023-03-30T14:08:06.442Z", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T14:08:06.442Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a731ad54-0c3c-47bb-9559-d99950782beb", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:22:39.784Z", + "description": "Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). For added context on adversary procedures and background see [Remote Services](https://attack.mitre.org/techniques/T1021) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.218Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a75ddacf-e87e-4a99-83f2-618486473163", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.217Z", + "relationship_type": "mitigates", + "description": "Patch the BIOS and EFI as necessary.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a78e727c-8e42-448c-beb4-463804e18be0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.123Z", + "relationship_type": "mitigates", + "description": "Minimize permissions and access for service accounts to limit impact of exploitation. (Citation: Keith Stouffer May 2015)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac", + "created": "2023-09-28T19:41:16.927Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:41:16.927Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393", + "created": "2022-09-26T14:43:24.136Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Elastic - Koadiac Detection with EQL", + "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.", + "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:49:34.799Z", + "description": "Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:33:22.909Z", + "description": "Monitor for changes made to Windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:42:02.105Z", + "description": "All field controllers should restrict the download of programs, including online edits and program appends, to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a", + "created": "2022-09-29T14:27:05.757Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T14:27:05.757Z", + "description": "Monitor logon sessions for hardcoded credential use, when feasible.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.126Z", + "relationship_type": "mitigates", + "description": "Consider utilizing jump boxes for external remote access. Additionally, dynamic account management may be used to easily remove accounts when not in use.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:39:30.850Z", + "description": "Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ICS CERT September 2018", + "description": "ICS CERT 2018, September 06 Advantech/Broadwin WebAccess RPC Vulnerability (Update B) Retrieved. 2019/12/05 ", + "url": "https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B" + }, + { + "source_name": "ICS-CERT December 2014", + "description": "ICS-CERT 2014, December 10 ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) Retrieved. 2019/10/11 ", + "url": "https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:59:07.486Z", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet. (Citation: ICS-CERT December 2014) (Citation: ICS CERT September 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.125Z", + "relationship_type": "mitigates", + "description": "Consider removal of remote services which are not regularly in use, or only enabling them when required (e.g., vendor remote access). Ensure all external remote access point (e.g., jump boxes, VPN concentrator) are configured with least functionality, especially the removal of unnecessary services. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1", + "created": "2023-09-28T20:28:27.970Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:28:27.970Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a86cee0a-dc49-4c95-b5dc-37405337490b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.079Z", + "relationship_type": "mitigates", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--a91002fe-21b2-4417-9c23-af712a7a035c", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:46:24.589Z", + "description": "Utilize code signatures to verify the integrity and authenticity of programs installed on safety or control assets.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a91295dc-b381-4dc9-9384-9f9949066778", + "created": "2023-09-29T18:42:18.446Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:42:18.446Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a93ba793-24dd-47dd-b32c-4c3016124c90", + "created": "2023-09-29T18:43:02.969Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:43:02.969Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "MDudek-ICS", + "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", + "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:27:55.358Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) calls the SafeAppendProgramMod to transfer its payloads to the Tricon. Part of this call includes preforming a program upload. (Citation: MDudek-ICS)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--aa205915-7571-47ee-8bc6-5aa1ace86690", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:52:11.111Z", + "description": "Devices may produce alarms about restarts or shutdowns. Monitor for unexpected device restarts or shutdowns.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91", + "created": "2022-09-26T16:35:07.728Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:35:07.728Z", + "description": "Monitor for new master devices communicating with outstations, which may be visible in alarms within the ICS environment.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba", + "created": "2023-09-29T17:42:56.284Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:42:56.284Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--aaacfa83-033f-4555-ba6b-ecc7692a25aa", + "created": "2023-03-30T19:03:59.066Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:03:59.066Z", + "description": "Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:32:51.548Z", + "description": "Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ab0b5170-577b-491e-8508-b9a34dc393c1", + "created": "2022-09-27T16:22:57.470Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:22:57.470Z", + "description": "Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs. Data from these platforms can be used to identify modified controller programs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ab306654-2abb-4983-8d30-df4058adb06c", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Selena Larson, Camille Singleton December 2020", + "description": "Selena Larson, Camille Singleton 2020, December RANSOMWARE IN ICS ENVIRONMENTS Retrieved. 2021/04/12 ", + "url": "https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf?utm_referrer=https%3A%2F%2Fwww.dragos.com%2Fresource%2Fransomware-in-ics-environments%2F" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:06:16.474Z", + "description": "The [REvil](https://attack.mitre.org/software/S0496) malware gained access to an organizations network and encrypted sensitive files used by OT equipment. (Citation: Selena Larson, Camille Singleton December 2020)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b", + "created": "2023-09-29T17:37:50.048Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:37:50.048Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.080Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e", + "created": "2023-09-29T17:37:16.719Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:37:16.719Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed", + "created": "2023-09-28T19:41:30.623Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:41:30.623Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ab8e129c-5411-4784-9194-068fa915da23", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov", + "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", + "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:54:49.878Z", + "description": "[KillDisk](https://attack.mitre.org/software/S0607) deletes application, security, setup, and system event logs from Windows systems. (Citation: Anton Cherepanov)", + "relationship_type": "uses", + "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291", + "created": "2023-10-02T20:20:19.426Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:20:19.426Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ac933d76-8207-4bf7-add2-92b60cf3044b", + "created": "2023-09-28T20:04:54.213Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:04:54.213Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--acace658-da7e-4a19-aa98-8aec8c966dde", + "created": "2023-09-27T14:53:03.323Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.266Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) issued unauthorized commands to substation breaks after gaining control of operator workstations and accessing a distribution management system (DMS) application. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ad7770c3-fe24-4285-9ce2-1616a1061472", + "type": "relationship", + "created": "2019-04-17T14:45:59.681Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "source_name": "FireEye FIN6 Apr 2019" + } + ], + "modified": "2019-06-28T14:59:17.849Z", + "description": "(Citation: FireEye FIN6 Apr 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:36:33.957Z", + "description": "Monitor network traffic for anomalies associated with known AiTM behavior. For Collection activity where transmitted data is not manipulated, anomalies may be present in network management protocols (e.g., ARP, DHCP).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.111Z", + "relationship_type": "mitigates", + "description": "Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application. (Citation: Karen Scarfone; Paul Hoffman September 2009)\n", + "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b", + "created": "2023-09-28T21:12:39.257Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:12:39.257Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ade12d27-13bb-4ebf-be08-7039cf699682", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.065Z", + "relationship_type": "mitigates", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--adf2072c-0341-4fc2-9d25-495b4af864e9", + "created": "2023-03-10T20:09:22.370Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:09:22.370Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary temporarily shut an investigator out of the network preventing them from issuing any controls.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ae10e97a-90ac-498b-8601-01081dc4af8b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12T18:59:17.429Z", + "modified": "2022-05-06T17:47:24.188Z", + "relationship_type": "mitigates", + "description": "Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc", + "created": "2023-09-28T19:50:14.201Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:50:14.201Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.167Z", + "relationship_type": "mitigates", + "description": "Network connection enumeration is likely obtained by using common system tools (e.g., netstat, ipconfig).\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c", + "created": "2023-03-10T20:36:34.109Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:36:34.109Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a two-way radio to communicate with and set the frequencies of Maroochy Shire's repeater stations.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--af20f409-05ed-42c3-ae3e-09b047b84875", + "created": "2023-09-25T20:49:25.308Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:49:25.308Z", + "description": "All field controllers should require that user authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:39:13.371Z", + "description": "Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379", + "created": "2023-09-28T21:17:32.313Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:17:32.313Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d", + "created": "2023-09-29T16:44:42.393Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:44:42.393Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.133Z", + "relationship_type": "mitigates", + "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system is compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", + "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "external_references": [ + { + "source_name": "M. Rentschler and H. Heine", + "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", + "url": "https://ieeexplore.ieee.org/document/6505877" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.061Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1", + "created": "2023-09-29T17:37:41.336Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:37:41.336Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1", + "created": "2023-09-29T16:40:30.440Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:40:30.440Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7", + "created": "2022-09-27T15:30:18.604Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:30:18.604Z", + "description": "Monitor logs from installed applications (e.g., historian logs) for unexpected commands or abuse of system features.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b07e6896-a840-49a1-8d58-94396a902b95", + "created": "2023-03-31T17:56:07.978Z", + "revoked": false, + "external_references": [ + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T17:56:07.978Z", + "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) supplied the name of the payload DLL to [Industroyer](https://attack.mitre.org/software/S0604) via a command line parameter.(Citation: ESET Industroyer)", + "relationship_type": "uses", + "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1", + "created": "2023-09-28T21:21:18.081Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:21:18.081Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:43:36.467Z", + "description": "Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:59:13.486Z", + "description": "Monitor for device alarms produced when parameters are changed, although not all devices will produce such alarms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:56:58.977Z", + "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b13417ea-d8da-497f-818f-d2d90562039a", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T16:44:13.707Z", + "description": "Network intrusion detection and prevention systems that can identify traffic patterns indicative of AiTM activity can be used to mitigate activity at the network level.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b1768154-221c-48be-ab2b-549ec1eddafb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.068Z", + "relationship_type": "mitigates", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec", + "created": "2022-09-26T15:38:45.913Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:38:45.913Z", + "description": "Monitor for loss of expected device alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b1921480-8499-46a9-8396-2a2d747c5861", + "created": "2023-09-28T19:58:00.892Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:58:00.892Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.228Z", + "relationship_type": "mitigates", + "description": "If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b21e0340-976d-44b2-94ae-f777199993c6", + "created": "2023-09-28T19:39:00.326Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:39:00.326Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov", + "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", + "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:55:06.661Z", + "description": "[KillDisk](https://attack.mitre.org/software/S0607) is able to delete system files to make the system unbootable and targets 35 different types of files for deletion. (Citation: Anton Cherepanov)", + "relationship_type": "uses", + "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a", + "created": "2023-09-28T21:10:50.480Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:10:50.480Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.192Z", + "relationship_type": "mitigates", + "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "external_references": [ + { + "source_name": "D. Parsons and D. Wylie September 2019", + "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", + "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" + }, + { + "source_name": "Colin Gray", + "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", + "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" + }, + { + "source_name": "Josh Rinaldi April 2016", + "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", + "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" + }, + { + "source_name": "Aditya K Sood July 2019", + "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", + "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" + }, + { + "source_name": "Langner November 2018", + "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", + "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.239Z", + "relationship_type": "mitigates", + "description": "Techniques can include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n", + "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "external_references": [ + { + "source_name": "DHS National Urban Security Technology Laboratory April 2019", + "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", + "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f", + "created": "2023-09-29T17:42:11.005Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:42:11.005Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b33f2abc-a218-425b-9a90-b75445b7e142", + "created": "2023-09-29T18:05:51.795Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:05:51.795Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b343e131-e448-46c6-815b-b86e4bd6d638", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Threat Intelligence August 2019", + "description": "Dragos Threat Intelligence 2019, August Global Oil and Gas Cyber Threat Perspective Retrieved. 2020/01/03 ", + "url": "https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:06:51.429Z", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) targeted several ICS vendors and manufacturers. (Citation: Dragos Threat Intelligence August 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b346eec8-de90-407c-b665-387086bb4553", + "created": "2022-09-29T01:36:02.223Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + }, + { + "source_name": "Brubaker-Incontroller", + "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.444Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to upload programs from Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can obtain existing program logic from Omron PLCs by using either the program upload or backup functions available through the HTTP server.(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa", + "type": "relationship", + "created": "2017-05-31T21:33:27.070Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html", + "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", + "source_name": "iSIGHT Sandworm 2014" + }, + { + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf", + "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", + "source_name": "F-Secure BlackEnergy 2014" + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." + }, + { + "source_name": "UK NCSC Olympic Attacks October 2020", + "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", + "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020." + }, + { + "source_name": "Secureworks IRON VIKING ", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." + } + ], + "modified": "2022-02-28T17:02:50.401Z", + "description": "(Citation: iSIGHT Sandworm 2014)(Citation: F-Secure BlackEnergy 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Secureworks IRON VIKING )", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b352884f-2a60-41c6-b348-0bbb5859802a", + "created": "2023-09-28T20:01:52.459Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:01:52.459Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.236Z", + "relationship_type": "mitigates", + "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.\n", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b37844c1-0338-44f6-9116-48fa0f079913", + "created": "2023-09-29T17:41:11.611Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:41:11.611Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Chris Bing May 2018", + "description": "Chris Bing 2018, May 24 Trisis masterminds have expanded operations to target U.S. industrial firms Retrieved. 2020/01/03 ", + "url": "https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:07:07.445Z", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) utilizes watering hole websites to target industrial employees. (Citation: Chris Bing May 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2", + "created": "2023-09-28T19:48:58.160Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:48:58.160Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b3b24837-83ed-46c5-ba80-66a832c7072e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.062Z", + "relationship_type": "mitigates", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:00:06.347Z", + "description": "Monitor ICS management protocols for parameter changes, including for unexpected values, changes far exceeding standard values, or for parameters being changed in an unexpected way (e.g., via a new function, at an unusual time).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08", + "created": "2023-09-28T20:02:20.170Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:02:20.170Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov", + "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", + "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:55:23.573Z", + "description": "[KillDisk](https://attack.mitre.org/software/S0607) looks for and terminates two non-standard processes, one of which is an ICS application. (Citation: Anton Cherepanov)", + "relationship_type": "uses", + "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T14:34:42.612Z", + "description": "Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce AiTM conditions.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3", + "created": "2023-03-30T18:59:30.677Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T18:59:30.677Z", + "description": "Develop and publish policies that define acceptable information to be stored on local systems.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", + "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b48be9f9-de0e-4548-ade3-09d47af52798", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:03:58.153Z", + "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if command messages are blocked.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3", + "created": "2022-09-27T17:37:02.670Z", + "revoked": false, + "external_references": [ + { + "source_name": "Nzyme Alerts Intro", + "description": "Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved September 26, 2022.", + "url": "https://www.nzyme.org/docs/alerts/intro" + }, + { + "source_name": "Wireless Intrusion Detection", + "description": "Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022.", + "url": "https://apps.dtic.mil/sti/pdfs/ADA466332.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T17:37:02.670Z", + "description": "Purely passive network sniffing cannot be detected effectively. In cases where the adversary interacts with the wireless network (e.g., joining a Wi-Fi network) detection may be possible. Monitor for new or irregular network traffic flows which may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.(Citation: Nzyme Alerts Intro) (Citation: Wireless Intrusion Detection) Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa", + "created": "2023-09-29T17:45:55.581Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:45:55.581Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1", + "created": "2023-03-10T20:10:23.377Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:10:23.377Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary falsified network addresses in order to send false data and instructions to pumping stations.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b5979643-fefb-460f-b59c-971efe95f121", + "created": "2022-09-27T16:57:48.758Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:42:28.408Z", + "description": "Monitor for changes made to services that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b59a96e4-bd70-4459-9609-66563bccd9c3", + "created": "2023-09-29T16:38:21.688Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:38:21.688Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Hydro", + "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", + "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" + }, + { + "source_name": "Kevin Beaumont", + "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", + "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:57:06.704Z", + "description": "Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0372) infection. This resulted in a loss of control which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)", + "relationship_type": "uses", + "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.143Z", + "relationship_type": "mitigates", + "description": "This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.200Z", + "relationship_type": "mitigates", + "description": "Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b628d878-4f35-4580-8d42-26984d13821e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.143Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b6309476-8268-4c47-920b-8a556cd8ae4c", + "created": "2023-09-29T18:47:07.359Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:47:07.359Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b69905bd-6865-4092-9543-47bd9ae318ec", + "created": "2023-09-28T19:54:22.618Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:54:22.618Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.232Z", + "relationship_type": "mitigates", + "description": "Ensure that applications and devices do not store sensitive data or credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). (Citation: CISA June 2013)\n", + "source_ref": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "external_references": [ + { + "source_name": "CISA June 2013", + "description": "CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b7284360-0d80-45bb-8486-263ae8f8fa63", + "created": "2023-09-28T21:26:01.106Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:26:01.106Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.128Z", + "relationship_type": "mitigates", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b7344dfb-621b-4558-ab22-6c1f256ee746", + "created": "2023-09-29T16:46:27.408Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:46:27.408Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2", + "created": "2023-09-29T18:57:10.064Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:57:10.064Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T20:51:43.487Z", + "description": "Monitor for unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586", + "created": "2023-09-28T19:51:42.728Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:51:42.728Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b7f23af2-e948-4531-af56-1a1b4d03702f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.172Z", + "relationship_type": "mitigates", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e", + "created": "2023-09-29T18:42:53.573Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:42:53.573Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b8b1739d-dfa2-44e9-907f-7085e262512f", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:01:52.517Z", + "description": "Monitor login sessions for new or unexpected devices or sessions on wireless networks.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:45:17.457Z", + "description": "Monitor for network traffic originating from unknown/unexpected systems.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:23:11.538Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-14T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.226Z", + "relationship_type": "mitigates", + "description": "Update software on control network assets when possible. If feasible, use modern operating systems and software to reduce exposure to known vulnerabilities.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.097Z", + "relationship_type": "mitigates", + "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.222Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.091Z", + "relationship_type": "mitigates", + "description": "Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls to prevent misuse. Implement user accounts for each individual that may access the repositories for role enforcement and non-repudiation of actions.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b9e82422-b072-494f-99c1-fcab07b90133", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.146Z", + "relationship_type": "mitigates", + "description": "Require signed binaries.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.091Z", + "relationship_type": "mitigates", + "description": "Minimize permissions and access for service accounts to limit the information that may be exposed or collected by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c", + "created": "2023-09-28T21:28:36.325Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:28:36.325Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a", + "created": "2023-09-28T20:03:54.209Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:03:54.209Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7", + "created": "2023-09-29T18:49:34.208Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:49:34.208Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--baf4bd30-4213-43c3-b70c-54418e734caf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.184Z", + "relationship_type": "mitigates", + "description": "Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--baf7daf3-2116-4051-91b5-f82e146167d0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.235Z", + "relationship_type": "mitigates", + "description": "Routinely audit source code, application configuration files, open repositories, and public cloud storage for insecure use and storage of credentials.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259", + "created": "2023-09-29T16:45:08.209Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:45:08.209Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc", + "created": "2023-09-28T19:53:44.848Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:53:44.848Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.222Z", + "relationship_type": "mitigates", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.112Z", + "relationship_type": "mitigates", + "description": "Use least privilege for service accounts. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--bc383819-2e40-49b4-bea9-95eb5d418877", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:15:38.341Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a thread to monitor a data block DB890 of sequence A or B. This thread is constantly running and probing this block (every 5 minutes). On an infected PLC, if block DB890 is found and contains a special magic value (used by Stuxnet to identify his own block DB890), this blocks data can be read and written. This thread is likely used to optimize the way sequences A and B work, and modify their behavior when the Step7 editor is opened. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9", + "created": "2023-09-28T21:22:21.776Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:22:21.776Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.218Z", + "relationship_type": "mitigates", + "description": "Apply DLP to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).\n", + "source_ref": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:49:50.583Z", + "description": "Authenticate connections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:16:10.677Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a", + "created": "2023-09-28T21:16:24.310Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:16:24.310Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bd869385-5778-4303-8993-cc6412d12303", + "created": "2023-09-29T18:45:59.108Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:45:59.108Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.203Z", + "relationship_type": "mitigates", + "description": "Deploy anti-virus on all systems that support external email.\n", + "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.082Z", + "relationship_type": "mitigates", + "description": "Configure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--be0f7d83-2441-4259-b411-46e0d10566b1", + "created": "2023-10-02T20:23:24.179Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:23:24.179Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--be532c78-daf5-431b-adae-ab11af395513", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:16:39.070Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--be950e87-80ac-49ea-810a-553c7f72151b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.073Z", + "relationship_type": "mitigates", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2", + "created": "2023-09-28T20:31:17.116Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:31:17.116Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76", + "created": "2023-09-29T16:46:12.472Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:46:12.472Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:37:24.268Z", + "description": "Monitor for unexpected files (e.g., .pdf, .docx, .jpg) viewed for collecting internal data.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bf8e68fe-1969-48d1-be0e-ec742378748d", + "created": "2023-09-29T18:56:34.302Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:56:34.302Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302", + "created": "2023-09-29T18:06:02.077Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:06:02.077Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bf9f227c-e306-4257-add1-39c7c2e42040", + "created": "2023-09-29T18:47:28.758Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:47:28.758Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1", + "type": "relationship", + "created": "2020-09-22T19:41:27.951Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + } + ], + "modified": "2020-09-22T19:41:27.951Z", + "description": "(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", + "target_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bffad8de-a807-4216-9753-008a87d9d77f", + "created": "2023-09-28T19:56:40.730Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:56:40.730Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef", + "created": "2023-09-28T21:17:47.080Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:17:47.080Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c0efb24a-2329-401a-bba6-817f2867bb3f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.183Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f", + "created": "2023-03-10T20:34:55.362Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:34:55.362Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary suppressed alarm reporting to the central computer.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CopyFromScreen .NET", + "description": "Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.", + "url": "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8" + }, + { + "source_name": "Antiquated Mac Malware", + "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.", + "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:38:15.307Z", + "description": "Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware) The data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.204Z", + "relationship_type": "mitigates", + "description": "Consider restricting access to email within critical process environments. Additionally, downloads and attachments may be disabled if email is still necessary.\n", + "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2", + "created": "2023-09-29T18:09:02.311Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:09:02.311Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553", + "created": "2023-09-29T17:09:48.178Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:09:48.178Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5", + "created": "2023-09-29T16:28:39.397Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:28:39.397Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c233df49-e450-4151-8a0f-1765faf3d75a", + "created": "2023-09-29T17:08:08.883Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:08:08.883Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2", + "created": "2023-03-10T20:09:49.009Z", + "revoked": false, + "external_references": [ + { + "source_name": "Marshall Abrams July 2008", + "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", + "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-10T20:09:49.009Z", + "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer.(Citation: Marshall Abrams July 2008)", + "relationship_type": "uses", + "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f", + "created": "2023-09-29T17:59:54.204Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:59:54.204Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:23:21.586Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac", + "created": "2021-04-13T12:28:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Threat Intelligence February 2020", + "description": "Dragos Threat Intelligence 2020, February 03 EKANS Ransomware and ICS Operations Retrieved. 2021/04/12 ", + "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:48:00.088Z", + "description": "[EKANS](https://attack.mitre.org/software/S0605) masquerades itself as a valid executable with the filename update.exe. Many valid programs use the process name update.exe to perform background software updates. (Citation: Dragos Threat Intelligence February 2020)", + "relationship_type": "uses", + "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c37f097a-9698-412f-9e96-4d350bcd2790", + "created": "2023-09-29T16:44:26.728Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:44:26.728Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608", + "created": "2023-09-29T18:49:14.639Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:49:14.639Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c4122b58-f1b2-4656-a715-55016700bf75", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:56:39.825Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) automatically collects protocol object data to learn about control devices in the environment. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b", + "created": "2023-10-02T20:21:06.420Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:21:06.420Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa", + "created": "2022-09-27T16:35:12.372Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:47:35.207Z", + "description": "Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c4718fa2-2592-44b0-87d0-f866c118a779", + "created": "2023-09-29T18:07:09.213Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:07:09.213Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:42:42.363Z", + "description": "Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c4a50132-a210-4093-878d-3d6df23ed26e", + "created": "2023-09-29T17:10:09.146Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:10:09.146Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37", + "created": "2023-09-28T20:15:05.405Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:15:05.405Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Robert Falcone, Bryan Lee May 2016", + "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", + "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:32:03.970Z", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.(Citation: Robert Falcone, Bryan Lee May 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c58563a8-d757-4476-8ae2-beb2acce38b3", + "created": "2023-10-02T20:20:55.473Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:20:55.473Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a", + "created": "2019-03-25T19:13:54.947Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:32:08.109Z", + "description": "[WannaCry](https://attack.mitre.org/software/S0366) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd", + "created": "2023-09-29T18:43:49.839Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:43:49.839Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16", + "type": "relationship", + "created": "2020-06-10T18:36:54.638Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "NCSC Sandworm Feb 2020", + "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory", + "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020." + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." + }, + { + "source_name": "UK NCSC Olympic Attacks October 2020", + "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", + "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020." + }, + { + "source_name": "Secureworks IRON VIKING ", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." + }, + { + "source_name": "Trend Micro Cyclops Blink March 2022", + "url": "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", + "description": "Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022." + } + ], + "modified": "2022-03-17T15:07:01.055Z", + "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Secureworks IRON VIKING )(Citation: Trend Micro Cyclops Blink March 2022)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c5fd0969-c151-4849-94c2-83e2e208cff7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.168Z", + "relationship_type": "mitigates", + "description": "Ensure that wired and/or wireless traffic is encrypted when feasible. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. (Citation: Keith Stouffer May 2015)\n", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:26:20.823Z", + "description": "Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed.\n\nVarious techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:23:30.482Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c6520346-fe47-44ce-af75-d99004ac2977", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:17:59.179Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.070Z", + "relationship_type": "mitigates", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36", + "created": "2023-09-28T21:27:50.246Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:27:50.246Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:45:39.703Z", + "description": "Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c67e3535-69a9-4234-8170-4ad6efc632b7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.211Z", + "relationship_type": "mitigates", + "description": "Implement continuous monitoring of vulnerability sources. Also, use automatic and manual code review tools. (Citation: OWASP)\n", + "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "external_references": [ + { + "source_name": "OWASP", + "description": "OWASP Top 10 Web Application Security Risks Retrieved. 2020/09/25 ", + "url": "https://owasp.org/www-project-top-ten/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.132Z", + "relationship_type": "mitigates", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "external_references": [ + { + "source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", + "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8", + "created": "2023-09-29T17:59:11.267Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:59:11.267Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374", + "created": "2022-09-26T14:35:27.430Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:35:27.430Z", + "description": "Monitor for new or unexpected connections to controllers, which could indicate an Unauthorized Command Message being sent via [Rogue Master](https://attack.mitre.org/techniques/T0848).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:57:08.952Z", + "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.186Z", + "relationship_type": "mitigates", + "description": "When at rest, project files should be encrypted to prevent unauthorized changes. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ACSC Email Spoofing", + "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.", + "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" + }, + { + "source_name": "Microsoft Anti Spoofing", + "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.", + "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:48:02.425Z", + "description": "Monitor mail server and proxy logs for evidence of messages originating from spoofed addresses, including records indicating failed DKIM+SPF validation or mismatched message headers.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -24700,70 +29684,506 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, + { + "type": "relationship", + "id": "relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c", + "created": "2022-05-06T17:47:21.168Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Carl Hurd March 2019", + "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", + "url": "https://www.youtube.com/watch?v=yuZazP22rpI" + }, + { + "source_name": "William Largent June 2018", + "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", + "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:31:07.308Z", + "description": "The [VPNFilter](https://attack.mitre.org/software/S1010)'s ssler module configures the device's iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. Any outgoing web requests on port 80 are now intercepted by ssler and can be inspected by the ps module and manipulated before being sent to the legitimate HTTP service. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", + "relationship_type": "uses", + "source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--04882fef-2a6b-40d0-a101-da9c76a3572e", + "id": "relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.128Z", + "created": "2021-04-12T17:00:17.249Z", + "modified": "2022-05-06T17:47:24.212Z", "relationship_type": "mitigates", - "description": "Restrict the use of untrusted or unknown libraries, such as remote or unknown DLLs.\n", - "source_ref": "course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3", - "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "description": "A supply chain management program should include methods the assess the trustworthiness and technical maturity of a supplier, along with technical methods (e.g., code-signing, bill of materials) needed to validate the integrity of newly obtained devices and components. Develop procurement language that emphasizes the expectations for suppliers regarding the artifacts, audit records, and technical capabilities needed to validate the integrity of the devices supply chain. (Citation: Robert A. Martin January 2021)\n", + "source_ref": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "external_references": [ + { + "source_name": "Robert A. Martin January 2021", + "description": "Robert A. Martin 2021, January TRUSTING OUR SUPPLY CHAINS: A COMPREHENSIVE DATA-DRIVEN APPROACH Retrieved. 2021/04/12 ", + "url": "https://www.mitre.org/sites/default/files/publications/pr-20-01465-37-trusting-our-supply-chains-a-comprehensive-data-driven-approach.pdf" + } + ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7", - "created": "2023-03-10T20:34:25.450Z", + "id": "relationship--c8dd2735-bd04-4413-847d-316b77c6de19", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:23:14.457Z", + "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a", + "created": "2023-09-27T13:22:13.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Marshall Abrams July 2008", - "description": "Marshall Abrams 2008, July 23 Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia Retrieved. 2018/03/27 ", - "url": "https://www.mitre.org/sites/default/files/pdf/08_1145.pdf" + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2023-04-05T22:05:00.124Z", - "description": "In the [Maroochy Water Breach](https://attack.mitre.org/campaigns/C0020), the adversary disabled alarms at four pumping stations, preventing notifications to the central computer.(Citation: Marshall Abrams July 2008)", + "modified": "2023-09-27T13:25:51.965Z", + "description": "(Citation: Booz Allen Hamilton)", "relationship_type": "uses", - "source_ref": "campaign--70cab19e-1745-425e-b3db-c02cd5ff157a", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "type": "relationship", - "id": "relationship--76654cf3-5cfe-4bf4-b134-806fd75b1ddb", - "created": "2022-09-20T20:55:00.134Z", + "id": "relationship--c9065f74-556d-4728-8072-f96642e70316", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12T18:59:24.739Z", + "modified": "2022-05-06T17:47:24.187Z", + "relationship_type": "mitigates", + "description": "Access Management technologies can help enforce authentication on critical remote service, examples include, but are not limited to, device management services (e.g., telnet, SSH), data access servers (e.g., HTTP, Historians), and HMI sessions (e.g., RDP, VNC).\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d", + "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Pinellas County Sheriffs Office February 2021", - "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", - "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" + "source_name": "SecureWorks September 2019", + "description": "SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" + }, + { + "source_name": "Tom Fakterman August 2019", + "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-18T13:25:44.859Z", - "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors utilized the operator HMI interface through the graphical user interface. This action led to immediate operator detection as they were able to see the adversary making changes on their screen.(Citation: Pinellas County Sheriffs Office February 2021)", + "modified": "2022-10-12T18:06:28.859Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) sends HTTPS POST messages with randomly generated URLs to communicate with a remote server. (Citation: Tom Fakterman August 2019) (Citation: SecureWorks September 2019)", "relationship_type": "uses", - "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", - "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.068Z", + "relationship_type": "mitigates", + "description": "Provide an alternative method for alarms to be reported in the event of a communication failure.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c95850f4-4616-435c-b237-f1985833d40e", + "created": "2023-09-29T16:29:39.918Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:29:39.918Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c9fb4adb-8064-426a-838d-c93674fb380b", + "created": "2023-09-29T18:44:38.035Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:44:38.035Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:50:10.284Z", + "description": "Monitor for processes spawning from known command shell applications (e.g., PowerShell, Bash). Benign activity will need to be allow-listed. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ca13a117-aae0-4802-878b-c09f4a04dd31", + "created": "2023-09-28T20:06:50.018Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:06:50.018Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-31T19:58:55.128Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a Primary Variable Out of Limits misdirecting operators from understanding protective relay status. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ca5c7ae7-5273-4888-bc50-183d6e200972", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.105Z", + "relationship_type": "mitigates", + "description": "Built-in browser sandboxes and application isolation may be used to contain web-based malware.\n", + "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ca64a927-f050-41b3-80d3-93d22cdef26a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.081Z", + "relationship_type": "mitigates", + "description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ca768c2a-0f14-471c-90a5-bce649e88d51", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.105Z", + "relationship_type": "mitigates", + "description": "Application denylists can be used to block automation protocol functions used to initiate device shutdowns or restarts, such as DNP3's 0x0D function code, or vulnerabilities that can be used to trigger device shutdowns (e.g., CVE-2014-9195, CVE-2015-5374).\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Carl Hurd March 2019", + "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", + "url": "https://www.youtube.com/watch?v=yuZazP22rpI" + }, + { + "source_name": "William Largent June 2018", + "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", + "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:31:19.732Z", + "description": "The [VPNFilter](https://attack.mitre.org/software/S1010) packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. Packets that are not on port 502, are scanned for BasicAuth, and that information is logged. This may have allowed credential harvesting from communications between devices accessing a modbus-enabled HMI. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", + "relationship_type": "uses", + "source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b", + "type": "relationship", + "created": "2021-10-04T20:52:20.304Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ESET Lazarus KillDisk April 2018", + "description": "Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.", + "url": "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/" + } + ], + "modified": "2021-10-04T20:54:09.057Z", + "description": "(Citation: ESET Lazarus KillDisk April 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", + "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:48:12.637Z", + "description": "Utilize code signatures to verify the integrity and authenticity of programs downloaded to the device.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:18:37.808Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd", + "created": "2023-09-28T21:14:29.099Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:14:29.099Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.219Z", + "relationship_type": "mitigates", + "description": "Encrypt any operational data with strong confidentiality requirements, including organizational trade-secrets, recipes, and other intellectual property (IP).\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794", + "created": "2023-03-30T14:08:42.386Z", + "revoked": false, + "external_references": [ + { + "source_name": "M. Rentschler and H. Heine", + "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", + "url": "https://ieeexplore.ieee.org/document/6505877" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T14:08:42.386Z", + "description": "Retain cold-standby or replacement hardware of similar models to ensure continued operations of critical functions if the primary system is compromised or unavailable. (Citation: M. Rentschler and H. Heine)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cba8313b-c338-45f7-88ef-a514094882ac", + "created": "2022-09-28T20:28:39.348Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.446Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to exploit a vulnerable Asrock driver (AsrDrv103.sys) using CVE-2020-15368 to load its own unsigned driver on the system.(Citation: Wylie-22)", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", @@ -24771,8 +30191,127 @@ }, { "type": "relationship", - "id": "relationship--13809e98-1d74-4c39-b882-9d523c76cbde", - "created": "2021-04-13T12:36:26.506Z", + "id": "relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749", + "created": "2023-10-20T17:05:25.595Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-20T17:05:25.595Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a", + "created": "2023-09-29T16:30:08.166Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:30:08.166Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--cca191a1-3c50-4d4f-8f79-4247e58af610", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.146Z", + "relationship_type": "mitigates", + "description": "Use tools that restrict program execution via application control by attributes other than file name for common system and application utilities.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c", + "created": "2022-09-27T15:34:07.320Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:34:07.320Z", + "description": "Monitor DLL file events, specifically creation of these binary files as well as the loading of DLLs into processes associated with remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) may be used to access a host’s GUI.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:19:13.497Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects OB1 so that its malicious code sequence is executed at the start of a cycle. It also infects OB35. OB35 acts as a watchdog, and on certain conditions, it can stop the execution of OB1. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ccbb44ad-2220-4260-99ce-9142c44fc797", + "created": "2023-09-28T21:10:03.272Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:10:03.272Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7", + "created": "2021-04-13T12:08:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ @@ -24785,11 +30324,11 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T18:24:07.929Z", - "description": "[Triton](https://attack.mitre.org/software/S1009)'s imain.bin payload takes commands from the TsHi.ExplReadRam(Ex), TsHi.ExplWriteRam(Ex) and TsHi.ExplExec functions to perform operations on controller memory and registers using syscalls written in PowerPC shellcode. (Citation: Jos Wetzels January 2018)", + "modified": "2022-10-12T18:28:11.304Z", + "description": "[Triton](https://attack.mitre.org/software/S1009)'s injector, inject.bin, changes the function pointer of the 'get main processor diagnostic data' TriStation command to the address of imain.bin so that it is executed prior to the normal handler. (Citation: Jos Wetzels January 2018)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -24800,48 +30339,1838 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22", + "id": "relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.072Z", + "relationship_type": "mitigates", + "description": "Implement network allowlists to minimize serial comm port access to only authorized hosts, such as comm servers and RTUs.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2", + "created": "2023-09-28T20:15:56.470Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:15:56.470Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T19:12:25.664Z", + "description": "Monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986", + "created": "2023-09-29T16:31:36.462Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:31:36.462Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb", + "type": "relationship", + "created": "2021-01-20T21:03:13.436Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." + }, + { + "source_name": "Secureworks IRON VIKING ", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." + } + ], + "modified": "2022-02-28T17:02:50.467Z", + "description": "(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Secureworks IRON VIKING )", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.207Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a", + "created": "2022-09-26T14:37:45.140Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:37:45.140Z", + "description": "Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9", + "created": "2022-09-23T16:36:40.950Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:50:45.583Z", + "description": "Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs and tasks. Data from these platforms can be used to identify modified controller tasking.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d", + "created": "2023-09-29T16:29:16.222Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:29:16.222Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-28T18:44:20.611Z", + "description": "Monitor for unexpected ICS protocol functions from new and existing devices. Monitoring known devices requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cf8a816c-30ee-4147-a48f-d797fb145a04", + "created": "2023-09-29T17:43:10.828Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:43:10.829Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.216Z", + "relationship_type": "mitigates", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185", + "created": "2023-09-28T21:15:44.547Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:15:44.547Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cfcbca89-8912-40c0-ac15-47882162b132", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:00:16.899Z", + "description": "Monitor application logs for new or unexpected devices or sessions on wireless networks.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab", + "created": "2023-10-02T20:22:25.770Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:22:25.770Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d03de729-9235-4ceb-a1c0-935e2088020b", + "created": "2023-09-28T21:29:12.533Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:29:12.533Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d08fdedd-12f6-4681-9167-70d070432dee", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.208Z", + "relationship_type": "mitigates", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--d1388bba-9869-4e3e-a6c9-430784ad924d", + "created": "2023-09-27T14:59:13.988Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.267Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), operators were shut out of their equipment either through the denial of peripheral use or the degradation of equipment. Operators were therefore unable to recover from the incident through their traditional means. Much of the power was restored manually. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d16e8909-d055-4174-aeb1-22c0613b2f73", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T13:53:55.028Z", + "description": "Disable unnecessary legacy network protocols that may be used for AiTM if applicable.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d1971b32-3a15-4544-9f36-80c05121deb6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.160Z", "relationship_type": "mitigates", - "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", - "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { + "type": "relationship", + "id": "relationship--d1a97502-b41d-40a8-aff5-13367fefc642", + "created": "2023-09-28T21:21:45.003Z", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "relationship", - "id": "relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6", + "modified": "2023-09-28T21:21:45.003Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.236Z", - "relationship_type": "mitigates", - "description": "Ensure wireless networks require the authentication of all devices, and that all wireless devices also authenticate network infrastructure devices (i.e., mutual authentication). For defense-in-depth purposes, utilize VPNs or ensure that application-layer protocols also authenticate the system or device. Use protocols that provide strong authentication (e.g., IEEE 802.1X), and enforce basic protections, such as MAC filtering, when stronger cryptographic techniques are not available.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896", + "created": "2023-09-29T16:28:52.111Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:28:52.111Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--08302021-aacf-428f-a0ce-e1034d925fb0", + "id": "relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.115Z", + "modified": "2022-05-06T17:47:24.086Z", "relationship_type": "mitigates", - "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", - "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", - "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "description": "Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n", + "source_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", + "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--d23fd724-563d-4f49-8bcd-09c653728cd3", + "created": "2023-09-28T21:28:00.462Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:28:00.462Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242", + "created": "2023-09-28T19:53:20.304Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:53:20.304Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d2a434c7-4428-435e-ae6b-e54012f29606", + "created": "2023-09-25T20:43:52.987Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:43:52.987Z", + "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af", + "created": "2022-09-27T16:08:15.473Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:08:15.473Z", + "description": "Monitor device application logs that indicate the program has changed, although not all devices produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Robert Falcone, Bryan Lee May 2016", + "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", + "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:32:31.072Z", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) communicated with its command and control using HTTP requests. (Citation: Robert Falcone, Bryan Lee May 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999", + "created": "2023-09-29T18:49:54.378Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:49:54.378Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72", + "created": "2023-09-28T19:38:27.199Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:38:27.199Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.227Z", + "relationship_type": "mitigates", + "description": "Ensure anti-virus solution can detect malicious files that allow user execution (e.g., Microsoft Office Macros, program installers).\n", + "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--d3d4f469-9847-41ef-a478-5eaf6003d483", + "created": "2023-10-02T20:23:00.405Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:23:00.405Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:49:29.157Z", + "description": "Monitor asset log which may provide information that an asset has been placed into Firmware Update Mode. Some assets may log firmware updates themselves without logging that the device has been placed into update mode.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d455330d-f190-4854-8087-4c2c37003b45", + "created": "2023-09-29T17:39:29.897Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:39:29.897Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d48894cb-457e-4a81-82b4-2d735aea5128", + "created": "2023-09-28T19:50:56.496Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:50:56.496Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d4968f45-d06b-4843-8f72-6e08beb94cab", + "type": "relationship", + "created": "2017-05-31T21:33:27.070Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Symantec Dragonfly", + "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", + "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + }, + { + "source_name": "Gigamon Berserk Bear October 2021", + "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", + "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021." + } + ], + "modified": "2021-12-07T18:39:07.922Z", + "description": "(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)", + "relationship_type": "uses", + "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "target_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a", + "created": "2019-03-25T19:13:54.947Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:32:23.717Z", + "description": "[WannaCry](https://attack.mitre.org/software/S0366) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d58d8b19-90bc-4a7f-840d-076be296ff20", + "created": "2023-09-29T17:09:01.803Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:09:01.803Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a", + "created": "2023-09-28T19:43:49.584Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:43:49.584Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d", + "created": "2023-09-29T17:38:17.313Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:38:17.313Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0", + "created": "2023-09-29T17:08:23.682Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:08:23.682Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d648b3c7-77d2-42f3-a367-620621b714ab", + "created": "2023-09-28T21:11:29.314Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:11:29.314Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.209Z", + "relationship_type": "mitigates", + "description": "When available utilize hardware and software root-of-trust to verify the authenticity of a system. This may be achieved through cryptographic means, such as digital signatures or hashes, of critical software and firmware throughout the supply chain.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:31:22.665Z", + "description": "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d72e7d01-56be-4fbd-8957-3384533ba83b", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:28:23.911Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes. (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de", + "created": "2023-09-29T18:48:41.176Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:48:41.176Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5", + "created": "2023-09-28T20:29:50.745Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:29:50.745Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d7ea83fa-87c7-4d36-96d5-aee554504040", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Marc-Etienne M.Lveill October 2017", + "description": "Marc-Etienne M.Lveill 2017, October 24 Bad Rabbit: NotPetya is back with improved ransomware Retrieved. 2019/10/27 ", + "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:31:02.075Z", + "description": "Several transportation organizations in Ukraine have suffered from being infected by [Bad Rabbit](https://attack.mitre.org/software/S0606), resulting in some computers becoming encrypted, according to media reports. (Citation: Marc-Etienne M.Lveill October 2017)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18", + "created": "2023-09-29T16:46:01.992Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:46:01.992Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", + "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:28:39.359Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state while using the DCS to create an unsafe state or hazard. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d854cc38-adf7-485d-96b5-70606f6cb87e", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:24:28.935Z", + "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d8911566-f622-4a01-b765-514dbbfd8201", + "created": "2022-09-28T20:27:01.345Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.447Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can deploy Tcpdump to sniff network traffic and collect PCAP files.(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa", + "created": "2023-09-28T21:14:51.778Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:14:51.778Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d8f45959-e0fc-4b4f-a074-a3acea926300", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.194Z", + "relationship_type": "mitigates", + "description": "Consider the disabling of features such as AutoRun.\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--d8f95008-33c9-4572-9916-023d8de449b1", + "created": "2023-09-29T18:04:16.785Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:04:16.785Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ICS-CERT August 2018", + "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", + "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:23:33.379Z", + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications. (Citation: ICS-CERT August 2018)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d90b1271-a90d-41c7-9df7-bec47880c82e", + "created": "2022-09-27T15:33:46.485Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:33:46.485Z", + "description": "Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. [Remote Services](https://attack.mitre.org/techniques/T0886) may be used to access a host’s GUI.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:35:32.480Z", + "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments. (Citation: Booz Allen Hamilton)\n", + "relationship_type": "uses", + "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d96788b4-55dd-48df-bb9b-83b33ca24813", + "created": "2023-09-28T19:55:22.376Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:55:22.376Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d9de58a6-58fd-499c-ba7d-588239297179", + "created": "2023-09-29T16:42:31.464Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:42:31.464Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5", + "created": "2023-09-28T19:51:11.687Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:51:11.687Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a", + "created": "2023-09-29T16:42:53.226Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:42:53.226Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0", + "created": "2023-09-29T18:06:57.332Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:06:57.332Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--da987131-bf37-4730-9914-323879d2b5c3", + "created": "2023-09-28T20:34:11.025Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:34:11.025Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8", + "created": "2023-09-28T19:44:22.801Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:44:22.801Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dadfed22-d70c-482b-9026-964396d75484", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:42:28.053Z", + "description": "Monitor for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--db46e84f-435e-4022-b484-e6d2e253660c", + "created": "2023-09-29T18:06:13.468Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:06:13.468Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a", + "created": "2022-09-30T15:34:29.316Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-30T15:34:29.316Z", + "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dbcc492c-782e-4418-8373-dbc7a76498b0", + "created": "2023-09-29T17:45:35.293Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:45:35.293Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.170Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--dc35c44a-a90c-48a1-8811-af2618216e42", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-17T16:45:08.648Z", + "description": "Use strong multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials. Be aware of multi-factor authentication interception techniques for some implementations.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.218Z", + "relationship_type": "mitigates", + "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f", + "created": "2023-09-29T18:06:35.470Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:06:35.470Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dda29418-9570-405a-b7db-97e951e5aa53", + "created": "2022-09-26T19:36:13.409Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:35:58.409Z", + "description": "Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dda89758-9d0b-446d-b594-85acc7f9cb90", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:23:40.524Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--dded2d68-35c7-42c4-af10-efe7731673e3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.108Z", + "relationship_type": "mitigates", + "description": "All APIs on remote systems or local processes should require the authentication of users before executing any code or system changes.\n", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--de8b8a69-5f08-421a-96f0-2bed5707508d", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nzyme Alerts Intro", + "description": "Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved September 26, 2022.", + "url": "https://www.nzyme.org/docs/alerts/intro" + }, + { + "source_name": "Wireless Intrusion Detection", + "description": "Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022.", + "url": "https://apps.dtic.mil/sti/pdfs/ADA466332.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T18:57:13.322Z", + "description": "New or irregular network traffic flows may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.(Citation: Nzyme Alerts Intro) (Citation: Wireless Intrusion Detection) Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dead5325-7efe-4dcc-bf78-42b9190f74da", + "created": "2023-09-29T16:46:40.272Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:46:40.272Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--def57041-6bb4-453a-bf04-188b9e97a35d", + "created": "2023-09-28T21:26:34.603Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:26:34.603Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--df321d74-25d6-42da-80e8-3c9a291cb471", + "created": "2023-09-28T19:57:41.602Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:57:41.602Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T16:46:30.174Z", + "description": "Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some AiTM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--df7b521e-4496-432f-a61d-3094d0c7bc23", + "created": "2023-09-29T17:58:26.994Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:58:26.994Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--df80e2b6-5672-4f26-a19c-a394f3731f24", + "created": "2023-09-28T19:48:48.649Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:48:48.649Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--df95c619-33ee-4484-934a-78857717323e", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:18:47.783Z", + "description": "Monitor for unusual logins to Internet connected devices or unexpected protocols to/from the Internet. Network traffic content will provide valuable context and details about the content of network flows.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da", + "created": "2023-09-28T20:11:11.658Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:11:11.658Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dfb20521-91c2-4f55-b92a-dab959759b78", + "created": "2023-09-29T18:03:38.874Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:03:38.874Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:23:18.048Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:45:37.289Z", + "description": "Monitor authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours, including use of [Valid Accounts](https://attack.mitre.org/techniques/T0859).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.227Z", + "relationship_type": "mitigates", + "description": "Prevent the use of unsigned executables, such as installers and scripts.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca", + "created": "2022-09-27T15:42:39.964Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:43:48.288Z", + "description": "Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", + "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e0aee02c-b424-4781-be10-793d71594c31", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:23:47.107Z", + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) RAT is distributed through a trojanized installer attached to emails. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.123Z", + "relationship_type": "mitigates", + "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" @@ -24873,516 +32202,38 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.170Z", - "relationship_type": "mitigates", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.101Z", - "relationship_type": "mitigates", - "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.185Z", - "relationship_type": "mitigates", - "description": "Review the integrity of project files to verify they have not been modified by adversary behavior. Verify a cryptographic hash for the file with a known trusted version, or look for other indicators of modification (e.g., timestamps).\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.186Z", - "relationship_type": "mitigates", - "description": "All remote services should require strong authentication before providing user access.\n", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--52855d5d-e835-470f-a675-751c2779c861", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.140Z", - "relationship_type": "mitigates", - "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--fe22637e-7187-4990-b24a-5dc851eec736", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e", + "created": "2023-09-28T19:42:54.009Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T15:08:55.507Z", - "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.086Z", - "relationship_type": "mitigates", - "description": "Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n", - "source_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", - "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2971151c-0e8a-4567-84dc-01cf5dd35005", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.199Z", - "relationship_type": "mitigates", - "description": "Digital signatures may be used to ensure application DLLs are authentic prior to execution.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--214eb531-411c-4b90-9dbf-dc0183cbb919", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:34:19.403Z", - "description": "Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--234da455-b795-4788-bc5d-22b4b58b2dc7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.212Z", - "relationship_type": "mitigates", - "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.147Z", - "relationship_type": "mitigates", - "description": "Only authorized personnel should be able to change settings for alarms.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.183Z", - "relationship_type": "mitigates", - "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:10:43.996Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:34:07.441Z", - "description": "Alterations to the service binary path or the service startup type changed to disabled may be suspicious.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.080Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--4b57e41c-246f-44b3-b259-1811d5275e10", - "created": "2022-09-26T15:16:32.057Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:16:32.057Z", - "description": "Consult asset management systems to understand expected alarm settings.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "modified": "2023-09-28T19:42:54.009Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", "x_mitre_deprecated": false, "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--a1454196-0d86-49f2-8dcb-61145a16b21e", - "created": "2022-09-26T20:36:04.428Z", + "id": "relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065", + "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:33:05.248Z", - "description": "Monitor for files accessed on removable media, particularly those with executable content.", + "modified": "2022-10-14T16:40:47.334Z", + "description": "Collect file hashes. Monitor for file names that do not match their expected hash. Perform file monitoring. Files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE\". For added context on adversary procedures and background see [Masquerading](https://attack.mitre.org/techniques/T1036) and applicable sub-techniques.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", - "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b", - "type": "relationship", - "created": "2021-10-04T20:52:20.304Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "ESET Lazarus KillDisk April 2018", - "description": "Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.", - "url": "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/" - } - ], - "modified": "2021-10-04T20:54:09.057Z", - "description": "(Citation: ESET Lazarus KillDisk April 2018)", - "relationship_type": "uses", - "source_ref": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", - "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:32:52.932Z", - "description": "Monitor for newly constructed drive letters or mount points to removable media.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", - "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.232Z", - "relationship_type": "mitigates", - "description": "Ensure that applications and devices do not store sensitive data or credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). (Citation: CISA June 2013)\n", - "source_ref": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "external_references": [ - { - "source_name": "CISA June 2013", - "description": "CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--6895e54e-3968-41a9-9013-a082cd46fa44", - "created": "2020-05-14T14:40:26.221Z", - "x_mitre_version": "1.0", - "external_references": [ - { - "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", - "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020." - }, - { - "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", - "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a", - "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020." - }, - { - "source_name": "CrowdStrike Ryuk January 2019", - "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", - "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020." - }, - { - "source_name": "FireEye KEGTAP SINGLEMALT October 2020", - "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020." - }, - { - "source_name": "CrowdStrike Wizard Spider October 2020", - "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", - "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021." - }, - { - "source_name": "Sophos New Ryuk Attack October 2020", - "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", - "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020." - }, - { - "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", - "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", - "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020." - }, - { - "source_name": "DFIR Ryuk in 5 Hours October 2020", - "url": "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "description": "The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020." - }, - { - "source_name": "DFIR Ryuk's Return October 2020", - "url": "https://thedfirreport.com/2020/10/08/ryuks-return/", - "description": "The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020." - } - ], - "x_mitre_deprecated": false, - "revoked": false, - "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", - "modified": "2022-05-20T17:07:10.940Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "relationship_type": "uses", - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--41ff63a3-ddb9-47fb-8d92-bed74ed0d41d", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:55:23.567Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked reporting messages by using malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a75ddacf-e87e-4a99-83f2-618486473163", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.217Z", - "relationship_type": "mitigates", - "description": "Patch the BIOS and EFI as necessary.\n", - "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--874752f4-59a2-46e9-ae28-befe0142b223", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-30T14:37:52.169Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a hardcoded password in the WinCC software's database server as one of the mechanisms used to propagate to nearby systems. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -25390,130 +32241,87 @@ }, { "type": "relationship", - "id": "relationship--3a7d1db3-9383-4171-8938-382e9b0375c6", - "created": "2017-12-14T16:46:06.044Z", + "id": "relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14", + "created": "2023-03-31T17:44:45.164Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Booz Allen Hamilton", - "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", - "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T17:36:37.304Z", - "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) uses HTTP POST request to contact external command and control servers. (Citation: Booz Allen Hamilton)\n", + "modified": "2023-04-07T17:54:45.912Z", + "description": "During the [2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025), [Sandworm Team](https://attack.mitre.org/groups/G0034) transferred executable files as .txt and then renamed them to .exe, likely to avoid detection through extension tracking.(Citation: Dragos Crashoverride 2018)", "relationship_type": "uses", - "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d", - "created": "2023-03-30T18:57:58.377Z", - "revoked": false, - "external_references": [ - { - "source_name": "Symantec", - "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", - "url": "https://docs.broadcom.com/doc/w32-duqu-11-en" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-03-30T18:57:58.377Z", - "description": "[Duqu](https://attack.mitre.org/software/S0038) downloads additional modules for the collection of data from local systems. The modules are named: infostealer 1, infostealer 2 and reconnaissance. (Citation: Symantec)", - "relationship_type": "uses", - "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", - "target_ref": "attack-pattern--fa3aa267-da22-4bdd-961f-03223322a8d5", + "source_ref": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "3.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74", + "created": "2023-09-29T17:08:48.251Z", "revoked": false, - "external_references": [ - { - "source_name": "ICS CERT September 2018", - "description": "ICS CERT 2018, September 06 Advantech/Broadwin WebAccess RPC Vulnerability (Update B) Retrieved. 2019/12/05 ", - "url": "https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B" - }, - { - "source_name": "ICS-CERT December 2014", - "description": "ICS-CERT 2014, December 10 ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) Retrieved. 2019/10/11 ", - "url": "https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T16:59:07.486Z", - "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet. (Citation: ICS-CERT December 2014) (Citation: ICS CERT September 2018)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "modified": "2023-09-29T17:08:48.251Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.101Z", - "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--6bf14e79-3287-4b9e-b222-9d527530df1e", - "created": "2022-05-11T16:22:58.807Z", + "id": "relationship--e18af08c-3953-4b1d-b46c-45572fdb5187", + "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:57:08.560Z", - "description": "Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows , or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", + "modified": "2022-09-27T19:02:08.013Z", + "description": "Monitor operational data for indicators of temporary data loss which may indicate a Denial of Service. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "type": "relationship", + "id": "relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4", + "created": "2023-09-28T20:09:07.381Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:09:07.381Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "type": "relationship", "id": "relationship--e257913e-40ba-4a05-ba97-0c3175c966b5", @@ -25546,35 +32354,292 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "type": "relationship", + "id": "relationship--e323dee4-a896-4a82-85f5-d51d311b0437", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Max Heinemeyer February 2020", + "description": "Max Heinemeyer 2020, February 21 Post-mortem of a targeted Sodinokibi ransomware attack Retrieved. 2021/04/12 ", + "url": "https://www.darktrace.com/en/blog/post-mortem-of-a-targeted-sodinokibi-ransomware-attack/" + } + ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "relationship", - "id": "relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.218Z", - "relationship_type": "mitigates", - "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "modified": "2022-10-12T18:06:56.076Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) uses the SMB protocol to encrypt files located on remotely connected file shares. (Citation: Max Heinemeyer February 2020)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00", + "created": "2022-09-28T20:25:51.024Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos-Pipedream", + "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + }, + { + "source_name": "Brubaker-Incontroller", + "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.448Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can wipe the memory of Omron PLCs and reset settings through the remote HTTP service.(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream)(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e3b04152-0c90-41ff-a333-c5163fa9714f", + "created": "2023-09-29T17:41:22.619Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:41:22.619Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e434db5d-f201-4411-825f-4a50e1e78c75", + "created": "2023-09-29T17:06:20.834Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:06:20.834Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc", + "created": "2023-09-29T18:49:44.351Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:49:44.351Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e4a11381-8608-4c71-966f-df0cbb834fe0", + "created": "2022-09-30T15:35:09.660Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:51:08.392Z", + "description": "Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see [Remote System Discovery](https://attack.mitre.org/techniques/T1018).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972", + "created": "2023-09-29T16:45:33.777Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:45:33.777Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043", + "id": "relationship--e5afc447-a241-4773-9a8a-3d6fd205d926", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.198Z", + "modified": "2022-05-06T17:47:24.106Z", "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "description": "Utilize exploit protection to prevent activities which may be exploited through malicious web sites.\n", + "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:52:04.484Z", + "description": "Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454", + "created": "2023-10-02T20:17:51.320Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:17:51.320Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e607bb66-e53f-4684-b3f1-36a997e27d01", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.087Z", + "relationship_type": "mitigates", + "description": "Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n", + "source_ref": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", + "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", + "external_references": [ + { + "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", + "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", + "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb", + "created": "2023-09-28T20:30:32.778Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:30:32.778Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:42:45.693Z", + "description": "All field controllers should restrict the modification of parameter values to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. They should also restrict online edits and enable write protection for parameters. \n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.081Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "external_references": [ { "source_name": "Department of Homeland Security September 2016", @@ -25586,19 +32651,93 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, + { + "type": "relationship", + "id": "relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9", + "created": "2023-09-28T19:42:16.270Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:42:16.270Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108", + "id": "relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.133Z", + "modified": "2022-05-06T17:47:24.109Z", "relationship_type": "mitigates", - "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system is compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", + "description": "Application isolation will limit the other processes and system features an exploited target can access. Examples of built in features are software restriction policies, AppLocker for Windows, and SELinux or AppArmor for Linux.\n", + "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2", + "created": "2023-09-29T16:45:20.769Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:45:20.769Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42", + "created": "2023-09-29T16:39:41.736Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:39:41.736Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.097Z", + "relationship_type": "mitigates", + "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", - "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", "external_references": [ { "source_name": "M. Rentschler and H. Heine", @@ -25615,53 +32754,3190 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886", + "id": "relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.075Z", + "modified": "2022-05-06T17:47:24.104Z", "relationship_type": "mitigates", - "description": "Allow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--72bfda0b-31e9-4958-8d40-6efe816d9989", - "created": "2022-09-27T15:32:03.332Z", + "id": "relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23", + "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:33:47.681Z", - "description": "Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.", + "modified": "2022-10-14T19:46:16.720Z", + "description": "When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", - "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.088Z", + "relationship_type": "mitigates", + "description": "Minimize permissions and access for service accounts to limit the information that may be impacted by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8", + "created": "2023-09-28T19:50:30.312Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:50:30.312Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e915e12c-3d0c-4f60-b119-9414940abb0b", + "created": "2023-09-28T20:08:27.145Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:08:27.145Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42", + "created": "2023-09-28T19:45:18.672Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:45:18.672Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e98892d6-e036-4140-adbb-2932dba51a19", + "created": "2023-09-28T20:08:09.519Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:08:09.519Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--e9f5096e-b9fc-459a-a303-88763b1269cc", + "type": "relationship", + "created": "2020-05-14T14:41:42.975Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "source_name": "FireEye FIN6 Apr 2019" + } + ], + "modified": "2020-05-15T19:15:35.568Z", + "description": "(Citation: FireEye FIN6 Apr 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ea50253a-3220-458b-b810-ad032f2b182f", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + }, + { + "source_name": "ICS-CERT December 2018", + "description": "ICS-CERT 2018, December 18 Advisory (ICSA-18-107-02) - Schneider Electric Triconex Tricon (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02" + }, + { + "source_name": "Schneider Electric January 2018", + "description": "Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 ", + "url": "https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s" + }, + { + "source_name": "The Office of Nuclear Reactor Regulation", + "description": "The Office of Nuclear Reactor Regulation Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 Triconex Topical Report 7286-545-1 Retrieved. 2018/05/30 ", + "url": "https://www.nrc.gov/docs/ML1209/ML120900890.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:28:54.342Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) disables a firmware RAM/ROM consistency check after injects a payload (imain.bin) into the firmware memory region. (Citation: DHS CISA February 2019) (Citation: ICS-CERT December 2018) (Citation: Schneider Electric January 2018) Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration. (Citation: The Office of Nuclear Reactor Regulation)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:51:47.079Z", + "description": "Monitor ICS automation protocols for functions that restart or shutdown a device. Commands to restart or shutdown devices may also be observable in traditional IT management protocols.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ea817c7a-9424-4204-90a5-6f8fb86037be", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.230Z", + "relationship_type": "mitigates", + "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n", + "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4", + "created": "2023-09-29T17:38:59.611Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:38:59.611Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.101Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960", + "created": "2023-09-28T20:28:52.768Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:28:52.768Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53", + "created": "2023-09-28T20:05:15.314Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:05:15.314Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026", + "created": "2021-10-08T15:25:32.143Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:20:42.055Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:42:04.422Z", + "description": "Monitor for newly constructed files written to disk through a user visiting a website over the normal course of browsing.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b", + "created": "2023-09-28T19:44:09.311Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:44:09.311Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f", + "created": "2021-10-08T15:42:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Inc. June 2017", + "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", + "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:01:24.078Z", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) establishes an internal proxy prior to the installation of backdoors within the network. (Citation: Dragos Inc. June 2017)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--eb5310c6-7500-4b16-8ca7-6678c6232001", + "created": "2023-09-29T19:36:38.824Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T19:36:38.824Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.175Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0", + "created": "2023-09-29T17:09:37.977Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:09:37.977Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.177Z", + "relationship_type": "mitigates", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643", + "created": "2023-09-28T21:25:48.379Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:25:48.379Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.139Z", + "relationship_type": "mitigates", + "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ed095993-bc85-431e-9621-437143f16d44", + "created": "2023-09-29T17:44:09.285Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:44:09.285Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ed3ce006-cf41-46f6-bd86-054314c130dc", + "created": "2023-09-28T21:15:57.120Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:15:57.120Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ed3ef546-566a-46c7-918e-7bfa10d05991", + "created": "2023-09-29T17:06:47.370Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:06:47.370Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ed66e087-8877-4146-a16a-44cfd144a3d8", + "created": "2023-09-29T17:07:00.450Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:07:00.450Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ed8b97e2-5966-4844-a636-524541a46e43", + "created": "2023-09-29T16:39:18.448Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:39:18.448Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb", + "created": "2023-09-29T16:39:29.206Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:39:29.206Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6", + "created": "2022-09-27T16:56:30.665Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:39:41.897Z", + "description": "Monitor for newly constructed scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "x_mitre_domains": [ - "ics-attack" + "type": "relationship", + "id": "relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b", + "created": "2023-09-29T17:58:54.996Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:58:54.996Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1", + "created": "2023-09-28T21:12:00.004Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:12:00.004Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--edf73653-b2d7-422f-b433-b6a428ff12d4", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", + "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ", + "url": "https://securelist.com/bad-rabbit-ransomware/82851/" + } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2022-05-11T16:22:58.802Z", - "created": "2022-05-11T16:22:58.802Z", - "type": "x-mitre-data-component", - "id": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", - "name": "Process/Event Alarm", - "description": "This includes a list of any process alarms or alerts produced to indicate unusual or concerning activity within the operational process (e.g., increased temperature/pressure)", + "modified": "2022-10-12T17:31:21.210Z", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2", + "created": "2023-09-29T17:58:04.082Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:58:04.082Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:44:27.451Z", + "description": "Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Tom Fakterman August 2019", + "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:07:33.947Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) utilizes JavaScript, WScript, and PowerShell scripts to execute. The malicious JavaScript attachment has an obfuscated PowerShell script that executes the malware. (Citation: Tom Fakterman August 2019)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:35:50.632Z", + "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence. (Citation: Booz Allen Hamilton)\n", + "relationship_type": "uses", + "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97", + "created": "2023-09-28T20:05:33.450Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:05:33.450Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ee89466e-0655-4217-844d-fb8ea4f76247", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.065Z", + "relationship_type": "mitigates", + "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6", + "created": "2023-09-28T20:04:07.868Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:04:07.868Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:23:52.947Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.231Z", + "relationship_type": "mitigates", + "description": "Consider configuration and use of a network-wide authentication service such as Active Directory, LDAP, or RADIUS capabilities which can be found in ICS devices. (Citation: Keith Stouffer May 2015) (Citation: Schweitzer Engineering Laboratories August 2015)\n", + "source_ref": "course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Schweitzer Engineering Laboratories August 2015", + "description": "Schweitzer Engineering Laboratories 2015, August Understanding When to Use LDAP or RADIUS for Centralized Authentication Retrieved. 2020/09/25 ", + "url": "https://cdn.selinc.com/assets/Literature/Publications/Application%20Notes/AN2015-08_20150817.pdf?" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8", + "created": "2023-09-28T21:11:45.241Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:11:45.241Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--eeeff03f-7436-4f76-8591-42075e6647d4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.076Z", + "relationship_type": "mitigates", + "description": "All field controllers should restrict operating mode changes to only required authenticated users (e.g., engineers, field technicians), preferably through implementing a role-based access mechanism. Further, physical mechanisms (e.g., keys) can also be used to limit unauthorized operating mode changes.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3", + "created": "2023-09-28T19:54:48.577Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:54:48.577Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Symantec Security Response July 2014", + "description": "Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08 ", + "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers#:~:text=The%20attackers%2C%20known%20to%20Symantec,supply%20in%20the%20affected%20countries." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:12:48.097Z", + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) trojanized legitimate ICS equipment providers software packages available for download on their websites.(Citation: Symantec Security Response July 2014)", + "relationship_type": "uses", + "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--efb80069-e4be-4055-bd34-06d1376b4601", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.109Z", + "relationship_type": "mitigates", + "description": "Access Management technologies can be used to enforce authorization policies and decisions, especially when existing field devices do not provide capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "external_references": [ + { + "source_name": "McCarthy, J et al. July 2018", + "description": "McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ", + "url": "https://doi.org/10.6028/NIST.SP.1800-2" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0", + "created": "2023-09-29T16:39:09.447Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:39:09.447Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f05a2592-00f9-4f1f-ba55-395af5444b96", + "created": "2023-09-29T17:42:29.179Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:42:29.179Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f08d487a-7837-48f9-9301-fe0f9f144c92", + "created": "2023-09-28T20:31:04.691Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:31:04.691Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.160Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:21:24.221Z", + "description": "When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, [Stuxnet](https://attack.mitre.org/software/S0603) prevents an operator from noticing unauthorized commands sent to the peripheral. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12T18:59:17.429Z", + "modified": "2022-05-06T17:47:24.189Z", + "relationship_type": "mitigates", + "description": "Filter application-layer protocol messages for remote services to block any unauthorized activity.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d", + "created": "2023-09-29T18:45:34.258Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:45:34.258Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb", + "created": "2023-09-28T21:23:01.421Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:23:01.421Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f130282b-f681-455f-966b-55829842be92", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Langer Stuxnet", + "description": "Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.", + "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-17T16:00:06.894Z", + "description": "One of [Stuxnet](https://attack.mitre.org/software/S0603)'s rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnets own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnets PLC code is not discovered or damaged. (Citation: Langer Stuxnet)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8", + "created": "2023-09-28T21:24:22.815Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:24:22.815Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f145b7e5-048b-46e7-8439-e2b88917523c", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:48:47.595Z", + "description": "Monitor alarms for information about when an operating mode is changed, although not all devices produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f15f24d2-e581-46ce-83e4-a924f572aae6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.065Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f19c34b2-ef3a-4581-b604-6639f501e32f", + "created": "2023-10-02T20:20:32.163Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:20:32.163Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704", + "created": "2023-09-29T17:07:38.219Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:07:38.219Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.150Z", + "relationship_type": "mitigates", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f29ecf69-1753-44bb-9b80-1025f49cadda", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:24:02.276Z", + "description": "DP_RECV is the name of a standard function block used by network coprocessors. It is used to receive network frames on the Profibus a standard industrial network bus used for distributed I/O. The original block is copied to FC1869, and then replaced by a malicious block. Each time the function is used to receive a packet, the malicious [Stuxnet](https://attack.mitre.org/software/S0603) block takes control: it will call the original DP_RECV in FC1869 and then perform postprocessing on the packet data. The replaced DP_RECV block (later on referred to as the DP_RECV monitor) is meant to monitor data sent by the frequency converter drives to the 315-2 CPU via CP 342-5 Profibus communication modules. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:38:17.130Z", + "description": "Monitor for loss of expected operational process alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "McAfee CHIPSEC Blog", + "description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.", + "url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/" + }, + { + "source_name": "MITRE Copernicus", + "description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.", + "url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about" + }, + { + "source_name": "Intel HackingTeam UEFI Rootkit", + "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017.", + "url": "http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html" + }, + { + "source_name": "Github CHIPSEC", + "description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.", + "url": "https://github.com/chipsec/chipsec" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:48:28.074Z", + "description": "Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f347b4fe-d829-427d-851a-fff3393441db", + "created": "2021-04-12T07:57:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik August 2019", + "description": "Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 ", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-04-14T20:00:00.650Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays. (Citation: Joe Slowik August 2019)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b", + "created": "2023-09-28T21:23:51.038Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:23:51.038Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f3810d69-0eff-4d62-bdf1-2870cf676bba", + "created": "2023-03-30T14:11:33.618Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-30T14:11:33.618Z", + "description": "Monitor for device credential changes observable in automation or management network protocols.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--fab8fc7d-f27f-4fbb-9de6-44740aade05f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T12:08:26.506Z", + "modified": "2022-05-06T17:47:24.118Z", + "relationship_type": "mitigates", + "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", + "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f45c2df8-30e7-45d0-8067-7b2870767574", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:28:22.574Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.091Z", + "relationship_type": "mitigates", + "description": "Develop and publish policies that define acceptable information to be stored in repositories.\n", + "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1", + "created": "2023-09-28T19:49:56.464Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:49:56.464Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:33:51.166Z", + "description": "Monitor for new master devices communicating with outstation assets, which may be visible in asset application logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f531e763-3550-40ba-a6a1-81e208ca12c6", + "created": "2023-09-29T16:41:06.217Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:41:06.217Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7", + "created": "2023-09-28T21:26:23.361Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:26:23.361Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f584a257-c22a-434b-aa2d-6220987821ab", + "created": "2021-10-13T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:29:11.326Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments. (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545", + "created": "2023-09-29T18:44:50.280Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:44:50.280Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f5c9f641-a498-46b5-9068-39502db53cfd", + "created": "2023-09-28T20:10:55.590Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:10:55.590Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4", + "created": "2023-09-29T17:04:55.720Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:04:55.720Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51", + "created": "2023-09-29T17:05:20.132Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:05:20.132Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos", + "description": "Dragos Chrysene Retrieved. 2019/10/27 ", + "url": "https://dragos.com/resource/chrysene/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:32:49.409Z", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) utilized stolen credentials to gain access to victim machines.(Citation: Dragos)", + "relationship_type": "uses", + "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659", + "created": "2023-09-28T19:55:58.229Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:55:58.229Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f664bf42-5fb2-41e5-b790-978ddf866da3", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T17:45:58.655Z", + "description": "Monitor for information collection on assets that may indicate deviations from standard operational tools. Examples include unexpected industrial automation protocol functions, new high volume communication sessions, or broad collection across many hosts within the network. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6", + "created": "2023-09-28T20:12:09.661Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:12:09.661Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f6ff74c2-d088-4252-a8e0-189574863765", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-21T16:44:46.032Z", + "description": "Communication authenticity will ensure that any messages tampered with through AiTM can be detected, but cannot prevent eavesdropping on these. In addition, providing communication authenticity around various discovery protocols, such as DNS, can be used to prevent various AiTM procedures.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.147Z", + "relationship_type": "mitigates", + "description": "Use file system access controls to protect system and application folders.\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c", + "created": "2023-09-29T16:45:42.977Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:45:42.977Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846", + "created": "2023-09-29T18:47:39.450Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:47:39.450Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138", + "created": "2023-09-28T20:31:31.498Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:31:31.498Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df", + "created": "2023-09-27T14:58:21.360Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + }, + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.268Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) opened the breakers at the infected sites, shutting the power off for thousands of businesses and households for around 6 hours. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Eduard Kovacs May 2018", + "description": "Eduard Kovacs 2018, May 21 Group linked to Shamoon attacks targeting ICS networks in Middle East and UK Retrieved. 2020/01/03 ", + "url": "https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:33:11.305Z", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. (Citation: Eduard Kovacs May 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089", + "created": "2023-09-28T20:16:40.519Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:16:40.519Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f862418a-e7b4-4783-8949-7145f3dee665", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.104Z", + "relationship_type": "mitigates", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702", + "created": "2023-03-22T15:52:30.607Z", + "revoked": false, + "external_references": [ + { + "source_name": "PLCTop20 Mar 2023", + "description": "PLC Security, Top 20 Community. (2021, June 15). Secure PLC Coding Practices: Top 20 version 1.0. Retrieved March 22, 2023.", + "url": "https://plc-security.com/content/Top_20_Secure_PLC_Coding_Practices_V1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-22T15:52:30.607Z", + "description": "Devices and programs should validate the content of any remote parameter changes, including those from HMIs, control servers, or engineering workstations.(Citation: PLCTop20 Mar 2023)", + "relationship_type": "mitigates", + "source_ref": "course-of-action--1cbcceef-3233-4062-aa86-ec91afe39517", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:09:42.474Z", + "description": "Monitor network traffic for ICS functions related to write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f92764db-a880-4726-9d28-a035170f790c", + "created": "2023-09-28T21:22:35.236Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:22:35.236Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f951d934-d555-45e9-a564-27b84518cae4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.070Z", + "relationship_type": "mitigates", + "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:34:29.743Z", + "description": "Monitor for unexpected ICS protocol command functions to controllers from existing master devices (including from new processes) or from new devices. The latter is like detection for [Rogue Master](https://attack.mitre.org/techniques/T0848) but requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).\n\nMonitoring for unexpected or problematic values below the function level will provide better insights into potentially malicious activity but at the cost of additional false positives depending on the underlying operational process.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b", + "created": "2023-09-28T19:48:37.072Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:48:37.072Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.185Z", + "relationship_type": "mitigates", + "description": "Review the integrity of project files to verify they have not been modified by adversary behavior. Verify a cryptographic hash for the file with a known trusted version, or look for other indicators of modification (e.g., timestamps).\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.184Z", + "relationship_type": "mitigates", + "description": "Allow for code signing of any project files stored at rest to prevent unauthorized tampering. Ensure the signing keys are not easily accessible on the same system.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-03-08T22:28:50.588Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0", + "created": "2023-09-29T16:28:04.180Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:28:04.180Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fad25140-73de-40d5-a010-3464188db973", + "created": "2023-09-25T20:51:07.162Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:51:07.162Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fadbdca3-3c98-497c-a156-e53b89664359", + "created": "2023-09-28T20:16:55.038Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:16:55.038Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:58:34.751Z", + "description": "Monitor executed commands and arguments for binaries that could be involved in data destruction activity, such as SDelete.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1", + "created": "2023-09-29T17:38:28.664Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:38:28.664Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:15:27.767Z", + "description": "Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:55:14.825Z", + "description": "Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Eduard Kovacs May 2018", + "description": "Eduard Kovacs 2018, May 10 'Allanite' Group Targets ICS Networks at Electric Utilities in US, UK Retrieved. 2020/01/03 ", + "url": "https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:40:42.440Z", + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) leverages watering hole attacks to gain access into electric utilities. (Citation: Eduard Kovacs May 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:45:25.119Z", + "description": "Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.111Z", + "relationship_type": "mitigates", + "description": "Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.106Z", + "relationship_type": "mitigates", + "description": "Restrict browsers to limit the capabilities of malicious ads and Javascript.\n", + "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55", + "created": "2022-09-27T18:41:43.617Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T18:41:43.617Z", + "description": "Collecting information from the I/O image requires analyzing the application program running on the PLC for specific data block reads. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd", + "created": "2023-10-02T20:23:41.227Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:23:41.227Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fd856176-396c-4121-9754-35e49bfa5758", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:41:55.062Z", + "description": "Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fdc20415-c9a1-405e-80af-3d297894e8fa", + "created": "2023-09-28T19:58:30.849Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:58:30.849Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fe22637e-7187-4990-b24a-5dc851eec736", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:08:55.507Z", + "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f", + "created": "2023-09-28T21:10:39.025Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:10:39.025Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926", + "created": "2023-09-28T21:26:59.998Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:26:59.998Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb", + "created": "2023-09-28T19:56:26.241Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:56:26.241Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ff107632-751b-4efb-86bd-af670b48d35d", + "created": "2023-09-28T21:21:30.387Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:21:30.387Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ff3f0668-98df-44c1-88c2-711f05720eb8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.060Z", + "relationship_type": "mitigates", + "description": "Restrict configurations changes and firmware updating abilities to only authorized individuals.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:31:37.216Z", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T17:46:20.340Z", + "name": "Application Server", + "description": "Application servers are used across many different sectors to host various diverse software applications necessary to supporting the ICS. Example functions can include data analytics and reporting, alarm management, and the management/coordination of different control servers. The application server typically runs on a modern server operating system (e.g., MS Windows Server).", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_platforms": [ + "Windows", + "Linux" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "created": "2023-09-28T14:58:00.982Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0008", + "external_id": "A0008" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Application Log Content", + "description": "Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)", + "x_mitre_data_source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-06T14:05:01.054Z", + "name": "2015 Ukraine Electric Power Attack", + "description": "[2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [BlackEnergy](https://attack.mitre.org/software/S0089) (specifically BlackEnergy3) and [KillDisk](https://attack.mitre.org/software/S0607) to target and disrupt transmission and distribution substations within the Ukrainian power grid. This campaign was the first major public attack conducted against the Ukrainian power grid by Sandworm Team.", + "aliases": [ + "2015 Ukraine Electric Power Attack" + ], + "first_seen": "2015-12-01T05:00:00.000Z", + "last_seen": "2016-01-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Booz Allen Hamilton)", + "x_mitre_last_seen_citation": "(Citation: Booz Allen Hamilton)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "created": "2023-09-27T13:11:52.340Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0028", + "external_id": "C0028" + }, + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "ics-attack", + "enterprise-attack" + ] + }, + { + "modified": "2023-09-28T14:23:52.358Z", + "name": "Workstation", + "description": "Workstations are devices used by human operators or engineers to perform various configuration, programming, maintenance, diagnostic, or operational tasks. Workstations typically utilize standard desktop or laptop hardware and operating systems (e.g., MS Windows), but run dedicated control system applications or diagnostic/management software to support interfacing with the control servers or field devices. Some workstations have a fixed location within the network architecture, while others are transient devices that are directly connected to various field devices to support local management activities.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Transient Cyber Asset (TCA)", + "related_asset_sectors": [ + "Electric" + ], + "description": "A Transient Cyber Asset (TCA)(Citation: North American Electric Reliability Corporation June 2021) is a mobile workstation that is used to support management functions across multiple different networks, rather than being dedicated to any specific device/network. The TCA is often used to directly manage ICS environments that do not have any dedicated support for external remote access. Therefore, the TCA provides a mechanism for connectivity and file transfer to many networks/devices, even if they are segmented or “air gapped” from other networks. " + }, + { + "name": "Engineering Workstation (EWS)", + "related_asset_sectors": [ + "General" + ], + "description": "An Engineering Workstation (EWS) is used to perform various maintenance, configuration, or diagnostics functions for a control system. The EWS will likely require dedicated application software to interface with various devices (e.g., RTUs, PLCs), and may be used to transfer data or files between the control system devices and other networks. " + } + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "created": "2023-09-28T14:22:49.837Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0001", + "external_id": "A0001" + }, + { + "source_name": "North American Electric Reliability Corporation June 2021", + "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ", + "url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T18:01:02.506Z", + "name": "Intelligent Electronic Device (IED)", + "description": "An Intelligent Electronic Device (IED) is a type of specialized field device that is designed to perform specific operational functions, frequently for protection, monitoring, or control within the electric sector. IEDs are typically used to both acquire telemetry and execute tailored control algorithms/actions based on customizable parameters/settings. An IED is usually implemented as a dedicated embedded device and supports various network automation protocols to communicate with RTUs and Control Servers.", + "x_mitre_sectors": [ + "Electric" + ], + "x_mitre_related_assets": [ + { + "name": "Protection Relay", + "related_asset_sectors": [ + "Electric" + ], + "description": "A protection relay is a type of IED used within the electric sector to monitor for faults or problematic operating conditions on power lines, busses, or transformers. While traditionally protection relays were electromechanical or electromagnetic devices, modern relays utilize microprocessors, embedded operating system, and SCADA communications." + }, + { + "name": "Field Device / Controller", + "related_asset_sectors": [], + "description": "IEDs may be referred to as Field Controllers or Field Devices as a general function name. " + } + ], + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "created": "2023-09-28T14:46:42.566Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0005", + "external_id": "A0005" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-16T18:49:26.400Z", + "name": "Routers", + "description": "A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that inter-network. The most common form of router operates on IP packets.(Citation: IETF RFC4949 2007)", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "created": "2023-09-29T18:55:09.319Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0014", + "external_id": "A0014" + }, + { + "source_name": "IETF RFC4949 2007", + "description": "Internet Engineering Task Force. (2007, August). Internet Security Glossary, Version 2. Retrieved September 29, 2023.", + "url": "https://www.ietf.org/rfc/rfc4949.txt" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T18:08:33.386Z", + "name": "Data Gateway", + "description": "Data Gateway is a device that supports the communication and exchange of data between different systems, networks, or protocols within the ICS. Different types of data gateways are used to perform various functions, including:\n\n * Protocol Translation: Enable communication to devices that support different or incompatible protocols by translating information from one protocol to another. \n * Media Converter: Convert data across different Layer 1 and 2 network protocols / mediums, for example, converting from Serial to Ethernet. \n * Data Aggregation: Collect and combine data from different devices into one consistent format and protocol interface. \n\nData gateways are often critical to the forwarding/transmission of critical control or monitoring data within the ICS. Further, these devices often have remote various network services that are used to communicate across different zones or networks. \n\nThese assets may focus on a single function listed below or combinations of these functions to best fit the industry use-case. \n", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Data Acquisition Server (DAS)", + "related_asset_sectors": [ + "General" + ], + "description": "A Data Acquisition Server (DAS) a system or software platform that is used to collect, aggregate, and store data/telemetry from field devices using various SCADA/Automation protocols. " + }, + { + "name": "Serial to Ethernet Gateway", + "related_asset_sectors": [ + "Electric", + "General" + ], + "description": "A Serial to Ethernet gateway is a device that is used to connect field devices that only support serial-based communication (e.g., RS-232) with more modern Ethernet-based networks. " + } + ], + "x_mitre_platforms": [ + "Windows", + "Linux", + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "created": "2023-09-28T15:01:48.509Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0009", + "external_id": "A0009" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-07T16:19:46.282Z", + "name": "User Account Authentication", + "description": "An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T17:59:11.489Z", + "name": "Human-Machine Interface (HMI)", + "description": "Human-Machine Interfaces (HMIs) are systems used by an operator to monitor the real-time status of an operational process and to perform necessary control functions, including the adjustment of device parameters. An HMI can take various forms, including a dedicated screen or control panel integrated with a specific device/controller, or a customizable software GUI application running on a standard operating system (e.g., MS Windows) that interfaces with a control/SCADA server. The HMI is critical to ensuring operators have sufficient visibility and control over the operational process.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Operator Workstation (OWS)", + "related_asset_sectors": [ + "General" + ], + "description": "An Operator Workstation (OWS) or Console is a system or device used by an operator to interface with a control system, including to access/visualizes key information or parameters about the operational process and initiate control actions. This typically consists of specialized OWS software installed on a Workstation platform. (Citation: IEC February 2019)" + } + ], + "x_mitre_platforms": [ + "Windows", + "Linux" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "created": "2023-09-28T14:38:54.407Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0002", + "external_id": "A0002" + }, + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.275Z", + "name": "Network Share Access", + "description": "Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)", + "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-01T02:45:48.973Z", + "name": "Dragonfly", + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)", + "aliases": [ + "Dragonfly", + "TEMP.Isotope", + "DYMALLOY", + "Berserk Bear", + "TG-4192", + "Crouching Yeti", + "IRON LIBERTY", + "Energetic Bear" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.2", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "created": "2017-05-31T21:32:05.217Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0035", + "external_id": "G0035" + }, + { + "source_name": "DYMALLOY", + "description": "(Citation: Dragos DYMALLOY )(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Berserk Bear", + "description": "(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "TEMP.Isotope", + "description": "(Citation: Mandiant Ukraine Cyber Threats January 2022)(Citation: Gigamon Berserk Bear October 2021)" + }, + { + "source_name": "Crouching Yeti", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "IRON LIBERTY", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "TG-4192", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Dragonfly", + "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "Energetic Bear", + "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" + }, + { + "source_name": "CISA AA20-296A Berserk Bear December 2020", + "description": "CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" + }, + { + "source_name": "DOJ Russia Targeting Critical Infrastructure March 2022", + "description": "Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022.", + "url": "https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical" + }, + { + "source_name": "Dragos DYMALLOY ", + "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.", + "url": "https://www.dragos.com/threat/dymalloy/" + }, + { + "source_name": "Fortune Dragonfly 2.0 Sept 2017", + "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.", + "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/" + }, + { + "source_name": "Mandiant Ukraine Cyber Threats January 2022", + "description": "Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022.", + "url": "https://www.mandiant.com/resources/ukraine-crisis-cyber-threats" + }, + { + "source_name": "Secureworks MCMD July 2019", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis" + }, + { + "source_name": "Secureworks IRON LIBERTY July 2019", + "description": "Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.", + "url": "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" + }, + { + "source_name": "Secureworks Karagany July 2019", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" + }, + { + "source_name": "Gigamon Berserk Bear October 2021", + "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.", + "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf" + }, + { + "source_name": "Symantec Dragonfly Sept 2017", + "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", + "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" + }, + { + "source_name": "Symantec Dragonfly", + "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", + "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + }, + { + "source_name": "Symantec Dragonfly 2.0 October 2017", + "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.", + "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" + }, + { + "source_name": "UK GOV FSB Factsheet April 2022", + "description": "UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022.", + "url": "https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Access", + "description": "Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-22T04:43:59.082Z", + "name": "HEXANE", + "description": "[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)", + "aliases": [ + "HEXANE", + "Lyceum", + "Siamesekitten", + "Spirlin" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "2.1", + "x_mitre_contributors": [ + "Dragos Threat Intelligence", + "Mindaugas Gudzis, BT Security" + ], + "type": "intrusion-set", + "id": "intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G1001", + "external_id": "G1001" + }, + { + "source_name": "Spirlin", + "description": "(Citation: Accenture Lyceum Targets November 2021)" + }, + { + "source_name": "Siamesekitten", + "description": "(Citation: ClearSky Siamesekitten August 2021)" + }, + { + "source_name": "Lyceum", + "description": "(Citation: SecureWorks August 2019)" + }, + { + "source_name": "Accenture Lyceum Targets November 2021", + "description": "Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.", + "url": "https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns" + }, + { + "source_name": "ClearSky Siamesekitten August 2021", + "description": "ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.", + "url": "https://www.clearskysec.com/siamesekitten/" + }, + { + "source_name": "Dragos Hexane", + "description": "Dragos. (n.d.). Hexane. Retrieved October 27, 2019.", + "url": "https://dragos.com/resource/hexane/" + }, + { + "source_name": "Kaspersky Lyceum October 2021", + "description": "Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.", + "url": "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" + }, + { + "source_name": "SecureWorks August 2019", + "description": "SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 ", + "url": "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Modification", + "description": "Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", "x_mitre_version": "1.0", - "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -25687,154 +35963,442 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "id": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "id": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Service Metadata", + "description": "Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-05-11T16:22:58.802Z", + "created": "2022-05-11T16:22:58.802Z", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "name": "Process/Event Alarm", + "description": "This includes a list of any process alarms or alerts produced to indicate unusual or concerning activity within the operational process (e.g., increased temperature/pressure)", + "x_mitre_version": "1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T17:57:56.558Z", + "name": "Data Historian", + "description": "Data historians, or historian, are systems used to collect and store data, including telemetry, events, alerts, and alarms about the operational process and supporting devices. The historian typically utilizes a database to store this data, and commonly provide tools and interfaces to support the analysis of the data. Data historians are often used to support various engineering or business analysis functions and therefore commonly needs access from the corporate network. Data historians often work in a hierarchical paradigm where lower/site level historians collect and store data which is then aggregated into a site/plant level historian. Therefore, data historians often have remote services that can be accessed externally from the ICS network.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_platforms": [ + "Windows", + "Linux", + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "created": "2023-09-28T14:48:36.305Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0006", + "external_id": "A0006" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T18:05:43.237Z", + "name": "Remote Terminal Unit (RTU)", + "description": "A Remote Terminal Unit (RTU) is a device that typically resides between field devices (e.g., PLCs, IEDs) and control/SCADA servers and supports various communication interfacing and data aggregation functions. RTUs are typically responsible for forwarding commands from the control server and the collection of telemetry, events, and alerts from the field devices. An RTU can be implemented as a dedicated embedded device, as software platform that runs on a hardened/ruggedized computer, or using a custom application program on a PLC.", + "x_mitre_sectors": [ + "Electric", + "Water and Wastewater", + "General" + ], + "x_mitre_platforms": [ + "Embedded", + "Windows", + "Linux" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "created": "2023-09-28T14:44:54.756Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0004", + "external_id": "A0004" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-16T18:49:08.504Z", + "name": "Safety Controller", + "description": "Safety controllers are typically a type of field device used to perform the safety critical function. Safety controllers often support the deployment of custom programs/logic, similar to a PLC, but can also be tailored for sector specific functions/applications. The safety controllers typically utilize redundant hardware and processors to ensure they operate reliably if a component fails.", + "x_mitre_related_assets": [ + { + "name": "Safety Instrumented System (SIS) controller", + "related_asset_sectors": [], + "description": "SIS controllers are used to “take the process to a safe state when predetermined conditions are violated” (Citation: Guidance - NIST SP800-82) through the reading of sensor data and interaction with digital/physical control surfaces. These devices are oftentimes located on programmable embedded devices running specialized RTOS or other embedded operating systems. " + }, + { + "name": "Emergency Shutdown Systems (ESD) controller", + "related_asset_sectors": [], + "description": "Emergency Shutdown System controllers are used to read sensor values and interact with control surfaces to return the system “to a safe static condition so that any remedial action can be taken”. (Citation: SIGTTO ESD 2021)" + }, + { + "name": "Burner Management Systems (BMS) controller", + "related_asset_sectors": [], + "description": "Burner Management System controllers are used to interact with sensors and control surfaces to maintain safe operating conditions for the burner. These can include safely starting-up and managing the main flame, controlling and monitoring the burning conditions, and safely initiating planned or unplanned shutdown sequences." + } + ], + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "created": "2023-09-28T15:10:05.534Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0010", + "external_id": "A0010" + }, + { + "source_name": "Guidance - NIST SP800-82", + "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "SIGTTO ESD 2021", + "description": "Society of International Gas Tanker & Terminal Operators Ltd. (2021). ESD Systems: Recommendations for Emergency Shutdown and Related Safety Systems (Second Edition). Retrieved September 28, 2023.", + "url": "https://sigtto.org/media/3457/sigtto-2021-esd-systems.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2021-10-20T15:05:19.274Z", - "name": "Logon Session Metadata", - "description": "Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it", - "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "name": "Network Traffic Content", + "description": "Logged network traffic data showing both protocol header and body values (ex: PCAP)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "aliases": [ - "Dragonfly 2.0", - "IRON LIBERTY", - "DYMALLOY", - "Berserk Bear" + "modified": "2023-10-04T18:03:06.811Z", + "name": "Jump Host", + "description": "Jump hosts are devices used to support remote management sessions into ICS networks or devices. The system is used to access the ICS environment securely from external networks, such as the corporate network. The user must first remote into the jump host before they can access ICS devices. The jump host may be a customized Windows server using common remote access protocols (e.g., RDP) or a dedicated access management device. The jump host typically performs various security functions to ensure the authenticity of remote sessions, including authentication, enforcing access controls/permissions, and auditing all access attempts. ", + "x_mitre_sectors": [ + "General" ], + "x_mitre_related_assets": [ + { + "name": "Intermediate System", + "related_asset_sectors": [ + "Electric" + ], + "description": "A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users.(Citation: North American Electric Reliability Corporation June 2021)" + } + ], + "x_mitre_platforms": [ + "Windows", + "Linux", + "Embedded" + ], + "x_mitre_deprecated": false, "x_mitre_domains": [ - "ics-attack", - "enterprise-attack" + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "created": "2023-09-28T17:52:53.206Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0012", + "external_id": "A0012" + }, + { + "source_name": "North American Electric Reliability Corporation June 2021", + "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ", + "url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf" + } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "intrusion-set", - "id": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "created": "2018-10-17T00:14:20.652Z", - "x_mitre_version": "2.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T18:09:21.296Z", + "name": "Programmable Logic Controller (PLC)", + "description": "A Programmable Logic Controller (PLC) is an embedded programmable control device. PLCs typically utilize a modular architecture with separate modules used to support its processing capabilities, communication mediums, and I/O interfaces. PLCs allow for the deployment of customized programs/logic to control or monitor an operational process. This logic is defined using industry specific programming languages, such as IEC 61131 (Citation: IEC February 2013), which define the set of tasks and program organizational units (POUs) included in the device’s programs. PLCs also typically have distinct operating modes (e.g., Remote, Run, Program, Stop) which are used to determine when the device can be programmed or whether it should execute the custom logic.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Process Automation Controller (PAC)", + "related_asset_sectors": [ + "General" + ], + "description": "Process Automation Controllers (PAC) share much of the same functionality as a PLC. PACs may include advanced features for process control, motion control, drive control, and vision applications. PACs may include additional features such as options to program in traditional programming languages such as C and C++ in addition to 61131 programming languages in order to support these more advanced controls. " + }, + { + "name": "Field Device / Controller", + "related_asset_sectors": [], + "description": "Programmable Logic Controller (PLC) may be referred to as Field Controllers or Field Devices as a general function name. " + } + ], + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "created": "2023-09-28T14:43:05.105Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", - "external_id": "G0074", - "url": "https://attack.mitre.org/groups/G0074" + "url": "https://attack.mitre.org/assets/A0003", + "external_id": "A0003" }, { - "source_name": "DYMALLOY", - "description": "(Citation: Dragos DYMALLOY )" - }, - { - "source_name": "Berserk Bear", - "description": "(Citation: Fortune Dragonfly 2.0 Sept 2017)" - }, - { - "source_name": "IRON LIBERTY", - "description": "(Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY)" - }, - { - "source_name": "Dragonfly 2.0", - "description": "(Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017)" - }, - { - "source_name": "Dragos DYMALLOY ", - "url": "https://www.dragos.com/threat/dymalloy/", - "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020." - }, - { - "source_name": "Fortune Dragonfly 2.0 Sept 2017", - "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/", - "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018." - }, - { - "source_name": "Secureworks MCMD July 2019", - "url": "https://www.secureworks.com/research/mcmd-malware-analysis", - "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." - }, - { - "source_name": "Secureworks IRON LIBERTY", - "url": "https://www.secureworks.com/research/threat-profiles/iron-liberty", - "description": "Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020." - }, - { - "source_name": "Symantec Dragonfly Sept 2017", - "url": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", - "description": "Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017." - }, - { - "source_name": "US-CERT TA18-074A", - "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A", - "description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018." + "source_name": "IEC February 2013", + "description": "IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ", + "url": "https://webstore.iec.ch/publication/4552" } ], - "x_mitre_deprecated": false, - "revoked": true, - "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )", - "modified": "2022-05-11T14:00:00.188Z", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Dragonfly 2.0", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Service Creation", + "description": "Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2022-11-30T22:46:40.135Z", - "name": "TEMP.Veles", - "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing [TRITON](https://attack.mitre.org/software/S0609), a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)", - "aliases": [ - "TEMP.Veles", - "XENOTIME" + "modified": "2023-04-21T15:41:36.287Z", + "name": "OS API Execution", + "description": "Operating system function/method calls executed by a process", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T19:26:49.788Z", + "name": "Field I/O", + "description": "Field I/O are devices that communicate with a controller or data aggregator to either send input data or receive output data. Input data may include readings about a given environment/device state from sensors, while output data may include data sent back to actuators for them to either undertake actions or change parameter values.(Citation: Guidance - NIST SP800-82) These devices are frequently embedded devices running on lightweight embedded operating systems or RTOSes. ", + "x_mitre_related_assets": [ + { + "name": "Smart Sensors", + "related_asset_sectors": [ + "General" + ], + "description": "*A device that procures a voltage or current output that is representative of some physical property being measured (e.g., speed, temperature, flow).* (Citation: Guidance - NIST SP800-82) Smart sensors take this functionality and add on on-device processing and network communication." + }, + { + "name": "Variable Frequency Drive (VFD)", + "related_asset_sectors": [ + "General" + ], + "description": "*A type of drive that controls the speed, but not the precise position, of a non-servo, AC motor by varying the frequency of the electricity going to that motor. VFDs are typically used for applications where speed and power are important, but precise positioning is not.* (Citation: Guidance - NIST SP800-82) VFDs can be network connected." + } + ], + "x_mitre_platforms": [ + "Embedded" ], "x_mitre_deprecated": false, - "x_mitre_version": "1.3", + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "created": "2023-09-28T17:57:22.946Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0013", + "external_id": "A0013" + }, + { + "source_name": "Guidance - NIST SP800-82", + "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-07T16:14:39.124Z", + "name": "Command Execution", + "description": "The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )", + "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-08T22:07:25.123Z", + "name": "APT33", + "description": "[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", + "aliases": [ + "APT33", + "HOLMIUM", + "Elfin" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.4", "x_mitre_contributors": [ "Dragos Threat Intelligence" ], "type": "intrusion-set", - "id": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "created": "2019-04-16T15:14:38.533Z", + "id": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/groups/G0088", - "external_id": "G0088" + "url": "https://attack.mitre.org/groups/G0064", + "external_id": "G0064" }, { - "source_name": "TEMP.Veles", - "description": "(Citation: FireEye TRITON 2019)" + "source_name": "APT33", + "description": "(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)" }, { - "source_name": "Dragos Xenotime 2018", - "description": "Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.", - "url": "https://dragos.com/resource/xenotime/" + "source_name": "HOLMIUM", + "description": "(Citation: Microsoft Holmium June 2020)" }, { - "source_name": "FireEye TEMP.Veles 2018", - "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.", - "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html" + "source_name": "Elfin", + "description": "(Citation: Symantec Elfin Mar 2019)" }, { - "source_name": "FireEye TRITON 2019", - "description": "Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.", - "url": "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" + "source_name": "FireEye APT33 Webinar Sept 2017", + "description": "Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.", + "url": "https://www.brighttalk.com/webcast/10703/275683" }, { - "source_name": "FireEye TEMP.Veles JSON April 2019", - "description": "Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.", - "url": "https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html" + "source_name": "Microsoft Holmium June 2020", + "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.", + "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" }, { - "source_name": "Pylos Xenotime 2019", - "description": "Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.", - "url": "https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/" + "source_name": "FireEye APT33 Sept 2017", + "description": "O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.", + "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" }, { - "source_name": "XENOTIME", - "description": "The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609).(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)" + "source_name": "Symantec Elfin Mar 2019", + "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.", + "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" } ], "object_marking_refs": [ @@ -25848,68 +36412,208 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "modified": "2023-10-04T18:09:59.538Z", + "name": "Control Server", + "description": "Control servers are typically a software platform that runs on a modern server operating system (e.g., MS Windows Server). The server typically uses one or more automation protocols (e.g., Modbus, DNP3) to communicate with the various low-level control devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). The control server also usually provides an interface/network service to connect with an HMI.", + "x_mitre_sectors": [ + "General" ], - "id": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.272Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.272Z", - "name": "Application Log Content", - "description": "Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)", - "x_mitre_data_source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2023-04-10T21:18:24.743Z", - "name": "2016 Ukraine Electric Power Attack", - "description": "[2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [Industroyer](https://attack.mitre.org/software/S0604) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", - "aliases": [ - "2016 Ukraine Electric Power Attack" + "x_mitre_related_assets": [ + { + "name": "Supervisory Control And Data Acquisition (SCADA) Server", + "related_asset_sectors": [ + "General", + "Electric", + "Water and Wastewater" + ], + "description": "A SCADA server is used to perform monitoring and control across a distributed environment. It typically has an associated HMI to provide information to a human operator and heavily depends on the human operator to initiate control actions." + }, + { + "name": "Master Terminal Unit (MTU)", + "related_asset_sectors": [ + "General" + ], + "description": "*A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as remote terminal units (RTUs) and programmable logic controllers (PLCs), over an ICS network* (Citation: Guidance - NIST SP800-82)" + }, + { + "name": "Supervisory controller", + "related_asset_sectors": [ + "General" + ], + "description": "*A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as remote terminal units (RTUs) and programmable logic controllers (PLCs), over an ICS network* (Citation: Guidance - NIST SP800-82)" + }, + { + "name": "Distribution/Energy Management System (DMS/EMS)", + "related_asset_sectors": [ + "Electric" + ], + "description": "A DMS and EMS are electric sector specific devices that are commonly used to manage distribution and transmission-level electrical grids. These platforms typically integrate a SCADA server and HMI with domain-specific data analysis applications, such as state-estimation and contingency analysis (EMS), or voltage-var control or fault restoration (DMS). " + } + ], + "x_mitre_platforms": [ + "Windows", + "Linux" ], - "first_seen": "2016-12-01T05:00:00.000Z", - "last_seen": "2016-12-01T05:00:00.000Z", - "x_mitre_first_seen_citation": "(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", - "x_mitre_last_seen_citation": "(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], "x_mitre_version": "1.0", - "type": "campaign", - "id": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", - "created": "2023-03-31T17:22:23.567Z", + "type": "x-mitre-asset", + "id": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "created": "2023-09-28T14:55:39.339Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/campaigns/C0025", - "external_id": "C0025" + "url": "https://attack.mitre.org/assets/A0007", + "external_id": "A0007" }, { - "source_name": "ESET Industroyer", - "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - }, - { - "source_name": "Dragos Crashoverride 2018", - "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", - "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + "source_name": "Guidance - NIST SP800-82", + "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ] + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-08T22:12:31.238Z", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Network Traffic Flow", + "description": "Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-05-11T16:22:58.802Z", + "created": "2022-05-11T16:22:58.802Z", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "name": "Process History/Live Data", + "description": "This includes any data stores that maintain historical or real-time events and telemetry recorded from various sensors or devices", + "x_mitre_version": "1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "aliases": [ + "ALLANITE", + "Palmetto Fusion" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", + "created": "2017-05-31T21:31:57.307Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G1000", + "url": "https://attack.mitre.org/groups/G1000" + }, + { + "source_name": "Dragos", + "url": "https://dragos.com/resource/allanite/", + "description": "Dragos Allanite Retrieved. 2019/10/27 " + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0035), although [ALLANITE](https://attack.mitre.org/groups/G1000)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)", + "modified": "2022-05-24T19:26:10.721Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "ALLANITE", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-04T18:07:59.333Z", + "name": "Virtual Private Network (VPN) Server", + "description": "A VPN server is a device that is used to establish a secure network tunnel between itself and other remote VPN devices, including field VPNs. VPN servers can be used to establish a secure connection with a single remote device, or to securely bridge all traffic between two separate networks together by encapsulating all data between those networks. VPN servers typically support remote network services that are used by field VPNs to initiate the establishment of the secure VPN tunnel between the field device and server.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Virtual Private Network (VPN) terminator", + "related_asset_sectors": [ + "General" + ], + "description": "A VPN terminator is a device performs the role of either a VPN client or server to support the establishment of VPN connection. (Citation: IEC February 2019)" + }, + { + "name": "Field VPN", + "related_asset_sectors": [ + "General" + ], + "description": "Field VPN are typically deployed at remote outstations and are used to create secure connections to VPN servers within data/control center environments. " + } + ], + "x_mitre_platforms": [ + "Windows", + "Linux", + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "created": "2023-09-28T15:13:07.950Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0011", + "external_id": "A0011" + }, + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-10-06T14:13:06.011Z", "name": "Sandworm Team", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)", "aliases": [ @@ -25923,7 +36627,7 @@ "IRIDIUM" ], "x_mitre_deprecated": false, - "x_mitre_version": "3.0", + "x_mitre_version": "3.1", "x_mitre_contributors": [ "Dragos Threat Intelligence" ], @@ -26035,31 +36739,93 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_domains": [ - "ics-attack", "enterprise-attack", + "ics-attack", "mobile-attack" ], - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2022-10-07T16:14:39.124Z", - "name": "Command Execution", - "description": "The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )", - "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", - "x_mitre_deprecated": false, - "x_mitre_version": "1.1", - "type": "x-mitre-data-component", - "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, + "x_mitre_domains": [ + "ics-attack" + ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-05-11T16:22:58.802Z", + "created": "2022-05-11T16:22:58.802Z", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "name": "Device Alarm", + "description": "This includes alarms associated with unexpected device functions, such as shutdowns, restarts, failures, or configuration changes", + "x_mitre_version": "1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Scheduled Job Metadata", + "description": "Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-04-10T21:18:24.743Z", + "name": "2016 Ukraine Electric Power Attack", + "description": "[2016 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0025) was a [Sandworm Team](https://attack.mitre.org/groups/G0034) campaign during which they used [Industroyer](https://attack.mitre.org/software/S0604) malware to target and disrupt distribution substations within the Ukrainian power grid. This campaign was the second major public attack conducted against Ukraine by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", + "aliases": [ + "2016 Ukraine Electric Power Attack" + ], + "first_seen": "2016-12-01T05:00:00.000Z", + "last_seen": "2016-12-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", + "x_mitre_last_seen_citation": "(Citation: ESET Industroyer)(Citation: Dragos Crashoverride 2018)", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--aa73efef-1418-4dbe-b43c-87a498e97234", + "created": "2023-03-31T17:22:23.567Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/campaigns/C0025", + "external_id": "C0025" + }, + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + }, + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ] + }, { "modified": "2023-04-05T22:00:43.353Z", "name": "Maroochy Water Breach", @@ -26100,15 +36866,114 @@ ] }, { - "modified": "2022-10-07T16:16:55.269Z", - "name": "Script Execution", - "description": "The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)", - "x_mitre_data_source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", + "aliases": [ + "Dragonfly 2.0", + "IRON LIBERTY", + "DYMALLOY", + "Berserk Bear" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "2.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G0074", + "url": "https://attack.mitre.org/groups/G0074" + }, + { + "source_name": "DYMALLOY", + "description": "(Citation: Dragos DYMALLOY )" + }, + { + "source_name": "Berserk Bear", + "description": "(Citation: Fortune Dragonfly 2.0 Sept 2017)" + }, + { + "source_name": "IRON LIBERTY", + "description": "(Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY)" + }, + { + "source_name": "Dragonfly 2.0", + "description": "(Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017)" + }, + { + "source_name": "Dragos DYMALLOY ", + "url": "https://www.dragos.com/threat/dymalloy/", + "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020." + }, + { + "source_name": "Fortune Dragonfly 2.0 Sept 2017", + "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/", + "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018." + }, + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + }, + { + "source_name": "Secureworks IRON LIBERTY", + "url": "https://www.secureworks.com/research/threat-profiles/iron-liberty", + "description": "Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020." + }, + { + "source_name": "Symantec Dragonfly Sept 2017", + "url": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", + "description": "Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017." + }, + { + "source_name": "US-CERT TA18-074A", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018." + } + ], "x_mitre_deprecated": false, - "x_mitre_version": "1.1", + "revoked": true, + "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )", + "modified": "2022-05-11T14:00:00.188Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Dragonfly 2.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "type": "x-mitre-data-component", - "id": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", - "created": "2021-10-20T15:05:19.272Z", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Metadata", + "description": "Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-21T21:47:58.629Z", + "name": "Asset Inventory", + "description": "This includes sources of current and expected devices on the network, including the manufacturer, model, and necessary identifiers (e.g., IP and hardware addresses)", + "x_mitre_data_source_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "created": "2022-09-23T16:34:00.912Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ @@ -26118,51 +36983,102 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "modified": "2023-03-30T19:01:41.451Z", + "name": "Lazarus Group", + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094). ", + "aliases": [ + "Lazarus Group", + "Labyrinth Chollima", + "HIDDEN COBRA", + "Guardians of Peace", + "ZINC", + "NICKEL ACADEMY" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.2", + "x_mitre_contributors": [ + "Kyaw Pyiyt Htet, @KyawPyiytHtet", + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "created": "2017-05-31T21:32:03.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0032", + "external_id": "G0032" + }, + { + "source_name": "Labyrinth Chollima", + "description": "(Citation: CrowdStrike Labyrinth Chollima Feb 2022)" + }, + { + "source_name": "ZINC", + "description": "(Citation: Microsoft ZINC disruption Dec 2017)" + }, + { + "source_name": "Lazarus Group", + "description": "(Citation: Novetta Blockbuster)" + }, + { + "source_name": "NICKEL ACADEMY", + "description": "(Citation: Secureworks NICKEL ACADEMY Dec 2017)" + }, + { + "source_name": "Guardians of Peace", + "description": "(Citation: US-CERT HIDDEN COBRA June 2017)" + }, + { + "source_name": "CrowdStrike Labyrinth Chollima Feb 2022", + "description": "CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.", + "url": "https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/" + }, + { + "source_name": "Novetta Blockbuster", + "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.", + "url": "https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" + }, + { + "source_name": "Secureworks NICKEL ACADEMY Dec 2017", + "description": "Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.", + "url": "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing" + }, + { + "source_name": "Microsoft ZINC disruption Dec 2017", + "description": "Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.", + "url": "https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/" + }, + { + "source_name": "HIDDEN COBRA", + "description": "The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)" + }, + { + "source_name": "Treasury North Korean Cyber Groups September 2019", + "description": "US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.", + "url": "https://home.treasury.gov/news/press-releases/sm774" + }, + { + "source_name": "US-CERT HIDDEN COBRA June 2017", + "description": "US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.", + "url": "https://www.us-cert.gov/ncas/alerts/TA17-164A" + }, + { + "source_name": "US-CERT HOPLIGHT Apr 2019", + "description": "US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.", + "url": "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" + } + ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.274Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.274Z", - "name": "Network Traffic Flow", - "description": "Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)", - "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" ], - "id": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.272Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.272Z", - "name": "Module Load", - "description": "Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)", - "x_mitre_data_source_ref": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.274Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.274Z", - "name": "Network Traffic Content", - "description": "Logged network traffic data showing both protocol header and body values (ex: PCAP)", - "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { @@ -26182,138 +37098,53 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "x_mitre_domains": [ - "ics-attack" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2022-05-11T16:22:58.802Z", - "created": "2022-05-11T16:22:58.802Z", - "type": "x-mitre-data-component", - "id": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", - "name": "Process History/Live Data", - "description": "This includes any data stores that maintain historical or real-time events and telemetry recorded from various sensors or devices", - "x_mitre_version": "1.0", - "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2023-03-22T04:43:59.082Z", - "name": "HEXANE", - "description": "[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)", + "modified": "2023-09-20T22:40:13.147Z", + "name": "Oldsmar Treatment Plant Intrusion", + "description": "[Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009) was a cyber incident involving a water treatment facility in Florida. During this incident, unidentified threat actors leveraged features of the system to access and modify setpoints for a specific chemical required in the treatment process. The incident was detected immediately and prevented before it could cause any harm to the public.(Citation: Pinellas County Sheriffs Office February 2021)(Citation: CISA AA21-042A Water Treatment Intrusion Feb 2021)(Citation: Dragos Oldsmar Feb 2021)", "aliases": [ - "HEXANE", - "Lyceum", - "Siamesekitten", - "Spirlin" + "Oldsmar Treatment Plant Intrusion" ], - "x_mitre_deprecated": false, - "x_mitre_version": "2.1", - "x_mitre_contributors": [ - "Dragos Threat Intelligence", - "Mindaugas Gudzis, BT Security" - ], - "type": "intrusion-set", - "id": "intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3", - "created": "2018-10-17T00:14:20.652Z", + "first_seen": "2021-02-01T05:00:00.000Z", + "last_seen": "2021-02-01T05:00:00.000Z", + "x_mitre_first_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)", + "x_mitre_last_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)", + "x_mitre_deprecated": true, + "x_mitre_version": "1.0", + "type": "campaign", + "id": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", + "created": "2022-09-20T20:53:14.373Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/groups/G1001", - "external_id": "G1001" + "url": "https://attack.mitre.org/campaigns/C0009", + "external_id": "C0009" }, { - "source_name": "Spirlin", - "description": "(Citation: Accenture Lyceum Targets November 2021)" + "source_name": "CISA AA21-042A Water Treatment Intrusion Feb 2021", + "description": "CISA. (2021, February 11). Compromise of U.S. Water Treatment Facility . Retrieved October 18, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa21-042a" }, { - "source_name": "Siamesekitten", - "description": "(Citation: ClearSky Siamesekitten August 2021)" + "source_name": "Pinellas County Sheriffs Office February 2021", + "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", + "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" }, { - "source_name": "Lyceum", - "description": "(Citation: SecureWorks August 2019)" - }, - { - "source_name": "Accenture Lyceum Targets November 2021", - "description": "Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.", - "url": "https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns" - }, - { - "source_name": "ClearSky Siamesekitten August 2021", - "description": "ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.", - "url": "https://www.clearskysec.com/siamesekitten/" - }, - { - "source_name": "Dragos Hexane", - "description": "Dragos. (n.d.). Hexane. Retrieved October 27, 2019.", - "url": "https://dragos.com/resource/hexane/" - }, - { - "source_name": "Kaspersky Lyceum October 2021", - "description": "Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.", - "url": "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" - }, - { - "source_name": "SecureWorks August 2019", - "description": "SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 ", - "url": "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" + "source_name": "Dragos Oldsmar Feb 2021", + "description": "Serino, G., et al . (2021, February 8). Recommendations Following the Oldsmar Water Treatment Facility Cyber Attack. Retrieved October 21, 2022.", + "url": "https://www.dragos.com/blog/industry-news/recommendations-following-the-oldsmar-water-treatment-facility-cyber-attack/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": [ "ics-attack" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2022-05-11T16:22:58.802Z", - "created": "2022-05-11T16:22:58.802Z", - "type": "x-mitre-data-component", - "id": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "name": "Device Alarm", - "description": "This includes alarms associated with unexpected device functions, such as shutdowns, restarts, failures, or configuration changes", - "x_mitre_version": "1.0", - "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2022-10-21T21:47:33.604Z", - "name": "Software", - "description": "This includes sources of current and expected software or application programs deployed to a device, along with information on the version and patch level for vendor products, full source code for any application programs, and unique identifiers (e.g., hashes, signatures).", - "x_mitre_data_source_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_version": "1.0", - "type": "x-mitre-data-component", - "id": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", - "created": "2022-09-23T16:36:08.632Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + ] }, { "object_marking_refs": [ @@ -26331,38 +37162,6 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.273Z", - "name": "File Creation", - "description": "Initial construction of a new file (ex: Sysmon EID 11)", - "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.273Z", - "name": "File Modification", - "description": "Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)", - "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "modified": "2023-02-06T20:58:52.317Z", "name": "OilRig", @@ -26483,6 +37282,54 @@ "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Creation", + "description": "Initial construction of a new file (ex: Sysmon EID 11)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Module Load", + "description": "Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)", + "x_mitre_data_source_ref": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Logon Session Metadata", + "description": "Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -26500,9 +37347,9 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2022-10-21T21:47:58.629Z", - "name": "Asset Inventory", - "description": "This includes sources of current and expected devices on the network, including the manufacturer, model, and necessary identifiers (e.g., IP and hardware addresses)", + "modified": "2022-10-21T21:47:33.604Z", + "name": "Software", + "description": "This includes sources of current and expected software or application programs deployed to a device, along with information on the version and patch level for vendor products, full source code for any application programs, and unique identifiers (e.g., hashes, signatures).", "x_mitre_data_source_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", "x_mitre_deprecated": false, "x_mitre_domains": [ @@ -26510,8 +37357,8 @@ ], "x_mitre_version": "1.0", "type": "x-mitre-data-component", - "id": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", - "created": "2022-09-23T16:34:00.912Z", + "id": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "created": "2022-09-23T16:36:08.632Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ @@ -26520,432 +37367,6 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "modified": "2022-10-21T15:56:01.070Z", - "name": "Oldsmar Treatment Plant Intrusion", - "description": "[Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009) was a cyber incident involving a water treatment facility in Florida. During this incident, unidentified threat actors leveraged features of the system to access and modify setpoints for a specific chemical required in the treatment process. The incident was detected immediately and prevented before it could cause any harm to the public.(Citation: Pinellas County Sheriffs Office February 2021)(Citation: CISA AA21-042A Water Treatment Intrusion Feb 2021)(Citation: Dragos Oldsmar Feb 2021)", - "aliases": [ - "Oldsmar Treatment Plant Intrusion" - ], - "first_seen": "2021-02-01T05:00:00.000Z", - "last_seen": "2021-02-01T05:00:00.000Z", - "x_mitre_first_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)", - "x_mitre_last_seen_citation": "(Citation: Pinellas County Sheriffs Office February 2021)", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "type": "campaign", - "id": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", - "created": "2022-09-20T20:53:14.373Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/campaigns/C0009", - "external_id": "C0009" - }, - { - "source_name": "CISA AA21-042A Water Treatment Intrusion Feb 2021", - "description": "CISA. (2021, February 11). Compromise of U.S. Water Treatment Facility . Retrieved October 18, 2022.", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa21-042a" - }, - { - "source_name": "Pinellas County Sheriffs Office February 2021", - "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", - "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" - }, - { - "source_name": "Dragos Oldsmar Feb 2021", - "description": "Serino, G., et al . (2021, February 8). Recommendations Following the Oldsmar Water Treatment Facility Cyber Attack. Retrieved October 21, 2022.", - "url": "https://www.dragos.com/blog/industry-news/recommendations-following-the-oldsmar-water-treatment-facility-cyber-attack/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.0.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_domains": [ - "ics-attack" - ] - }, - { - "modified": "2023-04-21T15:41:36.287Z", - "name": "OS API Execution", - "description": "Operating system function/method calls executed by a process", - "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "type": "x-mitre-data-component", - "id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", - "created": "2021-10-20T15:05:19.272Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "aliases": [ - "ALLANITE", - "Palmetto Fusion" - ], - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_contributors": [ - "Dragos Threat Intelligence" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "intrusion-set", - "id": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", - "created": "2017-05-31T21:31:57.307Z", - "x_mitre_version": "1.0", - "external_references": [ - { - "source_name": "mitre-attack", - "external_id": "G1000", - "url": "https://attack.mitre.org/groups/G1000" - }, - { - "source_name": "Dragos", - "url": "https://dragos.com/resource/allanite/", - "description": "Dragos Allanite Retrieved. 2019/10/27 " - } - ], - "x_mitre_deprecated": false, - "revoked": false, - "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0035), although [ALLANITE](https://attack.mitre.org/groups/G1000)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)", - "modified": "2022-05-24T19:26:10.721Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "ALLANITE", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.272Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.272Z", - "name": "Process Metadata", - "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.", - "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2022-10-20T20:18:06.745Z", - "name": "Network Connection Creation", - "description": "Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)", - "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", - "x_mitre_deprecated": false, - "x_mitre_version": "1.1", - "type": "x-mitre-data-component", - "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", - "created": "2021-10-20T15:05:19.274Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2023-03-08T22:03:28.170Z", - "name": "Dragonfly", - "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)", - "aliases": [ - "Dragonfly", - "TEMP.Isotope", - "DYMALLOY", - "Berserk Bear", - "TG-4192", - "Crouching Yeti", - "IRON LIBERTY", - "Energetic Bear" - ], - "x_mitre_deprecated": false, - "x_mitre_version": "3.1", - "x_mitre_contributors": [ - "Dragos Threat Intelligence" - ], - "type": "intrusion-set", - "id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "created": "2017-05-31T21:32:05.217Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/groups/G0035", - "external_id": "G0035" - }, - { - "source_name": "DYMALLOY", - "description": "(Citation: Dragos DYMALLOY )(Citation: UK GOV FSB Factsheet April 2022)" - }, - { - "source_name": "Berserk Bear", - "description": "(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" - }, - { - "source_name": "TEMP.Isotope", - "description": "(Citation: Mandiant Ukraine Cyber Threats January 2022)(Citation: Gigamon Berserk Bear October 2021)" - }, - { - "source_name": "Crouching Yeti", - "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" - }, - { - "source_name": "IRON LIBERTY", - "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: UK GOV FSB Factsheet April 2022)" - }, - { - "source_name": "TG-4192", - "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: UK GOV FSB Factsheet April 2022)" - }, - { - "source_name": "Dragonfly", - "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" - }, - { - "source_name": "Energetic Bear", - "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)" - }, - { - "source_name": "CISA AA20-296A Berserk Bear December 2020", - "description": "CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions" - }, - { - "source_name": "DOJ Russia Targeting Critical Infrastructure March 2022", - "description": "Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022.", - "url": "https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical" - }, - { - "source_name": "Dragos DYMALLOY ", - "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.", - "url": "https://www.dragos.com/threat/dymalloy/" - }, - { - "source_name": "Fortune Dragonfly 2.0 Sept 2017", - "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.", - "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/" - }, - { - "source_name": "Mandiant Ukraine Cyber Threats January 2022", - "description": "Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022.", - "url": "https://www.mandiant.com/resources/ukraine-crisis-cyber-threats" - }, - { - "source_name": "Secureworks MCMD July 2019", - "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.", - "url": "https://www.secureworks.com/research/mcmd-malware-analysis" - }, - { - "source_name": "Secureworks IRON LIBERTY July 2019", - "description": "Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.", - "url": "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" - }, - { - "source_name": "Secureworks Karagany July 2019", - "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.", - "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" - }, - { - "source_name": "Gigamon Berserk Bear October 2021", - "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.", - "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf" - }, - { - "source_name": "Symantec Dragonfly Sept 2017", - "description": "Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", - "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers" - }, - { - "source_name": "Symantec Dragonfly", - "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", - "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" - }, - { - "source_name": "Symantec Dragonfly 2.0 October 2017", - "description": "Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.", - "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" - }, - { - "source_name": "UK GOV FSB Factsheet April 2022", - "description": "UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022.", - "url": "https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2023-03-08T22:07:25.123Z", - "name": "APT33", - "description": "[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", - "aliases": [ - "APT33", - "HOLMIUM", - "Elfin" - ], - "x_mitre_deprecated": false, - "x_mitre_version": "1.4", - "x_mitre_contributors": [ - "Dragos Threat Intelligence" - ], - "type": "intrusion-set", - "id": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/groups/G0064", - "external_id": "G0064" - }, - { - "source_name": "APT33", - "description": "(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)" - }, - { - "source_name": "HOLMIUM", - "description": "(Citation: Microsoft Holmium June 2020)" - }, - { - "source_name": "Elfin", - "description": "(Citation: Symantec Elfin Mar 2019)" - }, - { - "source_name": "FireEye APT33 Webinar Sept 2017", - "description": "Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.", - "url": "https://www.brighttalk.com/webcast/10703/275683" - }, - { - "source_name": "Microsoft Holmium June 2020", - "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.", - "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" - }, - { - "source_name": "FireEye APT33 Sept 2017", - "description": "O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.", - "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" - }, - { - "source_name": "Symantec Elfin Mar 2019", - "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.", - "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.273Z", - "name": "File Access", - "description": "Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)", - "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.273Z", - "name": "File Metadata", - "description": "Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.", - "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.271Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.271Z", - "name": "Firmware Modification", - "description": "Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)", - "x_mitre_data_source_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.273Z", - "name": "Windows Registry Key Deletion", - "description": "Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)", - "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.271Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.271Z", - "name": "Scheduled Job Creation", - "description": "Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)", - "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "modified": "2022-10-07T16:18:20.802Z", "name": "Logon Session Creation", @@ -26968,212 +37389,40 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "id": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", + "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.275Z", + "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.275Z", - "name": "Network Share Access", - "description": "Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)", - "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Process Metadata", + "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2022-03-30T14:26:51.805Z", - "name": "File Deletion", - "description": "Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)", - "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2023-03-28T20:49:53.223Z", - "name": "GOLD SOUTHFIELD", - "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)", - "aliases": [ - "GOLD SOUTHFIELD", - "Pinchy Spider" - ], + "modified": "2022-10-07T16:16:55.269Z", + "name": "Script Execution", + "description": "The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)", + "x_mitre_data_source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", "x_mitre_deprecated": false, - "x_mitre_version": "2.0", - "x_mitre_contributors": [ - "Thijn Bukkems, Amazon" - ], - "type": "intrusion-set", - "id": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", - "created": "2020-09-22T19:41:27.845Z", + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", + "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/groups/G0115", - "external_id": "G0115" - }, - { - "source_name": "Pinchy Spider", - "description": "(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)" - }, - { - "source_name": "Secureworks REvil September 2019", - "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.", - "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" - }, - { - "source_name": "CrowdStrike Evolution of Pinchy Spider July 2021", - "description": "Meyers, Adam. (2021, July 6). The Evolution of PINCHY SPIDER from GandCrab to REvil. Retrieved March 28, 2023.", - "url": "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/" - }, - { - "source_name": "Secureworks GandCrab and REvil September 2019", - "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.", - "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection" - }, - { - "source_name": "Secureworks GOLD SOUTHFIELD", - "description": "Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.", - "url": "https://www.secureworks.com/research/threat-profiles/gold-southfield" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.273Z", - "name": "Service Creation", - "description": "Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)", - "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", - "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-30T19:01:41.451Z", - "name": "Lazarus Group", - "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094). ", - "aliases": [ - "Lazarus Group", - "Labyrinth Chollima", - "HIDDEN COBRA", - "Guardians of Peace", - "ZINC", - "NICKEL ACADEMY" - ], - "x_mitre_deprecated": false, - "x_mitre_version": "3.2", - "x_mitre_contributors": [ - "Kyaw Pyiyt Htet, @KyawPyiytHtet", - "Dragos Threat Intelligence" - ], - "type": "intrusion-set", - "id": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "created": "2017-05-31T21:32:03.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/groups/G0032", - "external_id": "G0032" - }, - { - "source_name": "Labyrinth Chollima", - "description": "(Citation: CrowdStrike Labyrinth Chollima Feb 2022)" - }, - { - "source_name": "ZINC", - "description": "(Citation: Microsoft ZINC disruption Dec 2017)" - }, - { - "source_name": "Lazarus Group", - "description": "(Citation: Novetta Blockbuster)" - }, - { - "source_name": "NICKEL ACADEMY", - "description": "(Citation: Secureworks NICKEL ACADEMY Dec 2017)" - }, - { - "source_name": "Guardians of Peace", - "description": "(Citation: US-CERT HIDDEN COBRA June 2017)" - }, - { - "source_name": "CrowdStrike Labyrinth Chollima Feb 2022", - "description": "CrowdStrike. (2022, February 1). CrowdStrike Adversary Labyrinth Chollima. Retrieved February 1, 2022.", - "url": "https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/" - }, - { - "source_name": "Novetta Blockbuster", - "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.", - "url": "https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" - }, - { - "source_name": "Secureworks NICKEL ACADEMY Dec 2017", - "description": "Secureworks. (2017, December 15). Media Alert - Secureworks Discovers North Korean Cyber Threat Group, Lazarus, Spearphishing Financial Executives of Cryptocurrency Companies. Retrieved December 27, 2017.", - "url": "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing" - }, - { - "source_name": "Microsoft ZINC disruption Dec 2017", - "description": "Smith, B. (2017, December 19). Microsoft and Facebook disrupt ZINC malware attack to protect customers and the internet from ongoing cyberthreats. Retrieved December 20, 2017.", - "url": "https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/" - }, - { - "source_name": "HIDDEN COBRA", - "description": "The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: US-CERT HOPLIGHT Apr 2019)" - }, - { - "source_name": "Treasury North Korean Cyber Groups September 2019", - "description": "US Treasury . (2019, September 13). Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups. Retrieved September 29, 2021.", - "url": "https://home.treasury.gov/news/press-releases/sm774" - }, - { - "source_name": "US-CERT HIDDEN COBRA June 2017", - "description": "US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017.", - "url": "https://www.us-cert.gov/ncas/alerts/TA17-164A" - }, - { - "source_name": "US-CERT HOPLIGHT Apr 2019", - "description": "US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.", - "url": "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2023-03-22T03:51:04.185Z", + "modified": "2023-10-04T18:10:49.054Z", "name": "FIN7", - "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)", + "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)", "aliases": [ "FIN7", "GOLD NIAGARA", @@ -27181,7 +37430,7 @@ "Carbon Spider" ], "x_mitre_deprecated": false, - "x_mitre_version": "2.2", + "x_mitre_version": "3.0", "x_mitre_contributors": [ "Edward Millington" ], @@ -27208,6 +37457,11 @@ "source_name": "GOLD NIAGARA", "description": "(Citation: Secureworks GOLD NIAGARA Threat Profile)" }, + { + "source_name": "Mandiant FIN7 Apr 2022", + "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.", + "url": "https://www.mandiant.com/resources/evolution-of-fin7" + }, { "source_name": "FireEye CARBANAK June 2017", "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.", @@ -27265,9 +37519,290 @@ "enterprise-attack", "ics-attack" ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-09-12T14:35:52.920Z", + "name": "Wizard Spider", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", + "aliases": [ + "Wizard Spider", + "UNC1878", + "TEMP.MixMaster", + "Grim Spider", + "FIN12", + "GOLD BLACKBURN", + "ITG23", + "Periwinkle Tempest" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "3.0", + "x_mitre_contributors": [ + "Edward Millington", + "Oleksiy Gayda" + ], + "type": "intrusion-set", + "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "created": "2020-05-12T18:15:29.396Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0102", + "external_id": "G0102" + }, + { + "source_name": "Grim Spider", + "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)" + }, + { + "source_name": "UNC1878", + "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)" + }, + { + "source_name": "TEMP.MixMaster", + "description": "(Citation: FireEye Ryuk and Trickbot January 2019)" + }, + { + "source_name": "ITG23", + "description": "(Citation: IBM X-Force ITG23 Oct 2021)" + }, + { + "source_name": "FIN12", + "description": "(Citation: Mandiant FIN12 Oct 2021)" + }, + { + "source_name": "GOLD BLACKBURN", + "description": "(Citation: Secureworks Gold Blackburn Mar 2022)" + }, + { + "source_name": "Periwinkle Tempest", + "description": "(Citation: Secureworks Gold Blackburn Mar 2022)" + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "FireEye Ryuk and Trickbot January 2019", + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" + }, + { + "source_name": "CrowdStrike Ryuk January 2019", + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + }, + { + "source_name": "CrowdStrike Grim Spider May 2019", + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "CrowdStrike Wizard Spider October 2020", + "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.", + "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" + }, + { + "source_name": "Secureworks Gold Blackburn Mar 2022", + "description": "Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.", + "url": "https://www.secureworks.com/research/threat-profiles/gold-blackburn" + }, + { + "source_name": "Mandiant FIN12 Oct 2021", + "description": "Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.", + "url": "https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" + }, + { + "source_name": "IBM X-Force ITG23 Oct 2021", + "description": "Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.", + "url": "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "modified": "2022-11-30T22:46:40.135Z", + "name": "TEMP.Veles", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing [TRITON](https://attack.mitre.org/software/S0609), a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)", + "aliases": [ + "TEMP.Veles", + "XENOTIME" + ], + "x_mitre_deprecated": false, + "x_mitre_version": "1.3", + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "type": "intrusion-set", + "id": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "created": "2019-04-16T15:14:38.533Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0088", + "external_id": "G0088" + }, + { + "source_name": "TEMP.Veles", + "description": "(Citation: FireEye TRITON 2019)" + }, + { + "source_name": "Dragos Xenotime 2018", + "description": "Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.", + "url": "https://dragos.com/resource/xenotime/" + }, + { + "source_name": "FireEye TEMP.Veles 2018", + "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html" + }, + { + "source_name": "FireEye TRITON 2019", + "description": "Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" + }, + { + "source_name": "FireEye TEMP.Veles JSON April 2019", + "description": "Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html" + }, + { + "source_name": "Pylos Xenotime 2019", + "description": "Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019.", + "url": "https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/" + }, + { + "source_name": "XENOTIME", + "description": "The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609).(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-20T20:18:06.745Z", + "name": "Network Connection Creation", + "description": "Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Windows Registry Key Deletion", + "description": "Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Drive Creation", + "description": "Initial construction of a drive letter or mount point to a data storage device", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Firmware Modification", + "description": "Changes made to firmware, including its settings and/or data, such as MBR (Master Boot Record) and VBR (Volume Boot Record)", + "x_mitre_data_source_ref": "x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-03-30T14:26:51.805Z", + "name": "File Deletion", + "description": "Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Scheduled Job Modification", + "description": "Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "modified": "2023-03-22T03:50:17.471Z", "name": "FIN6", @@ -27364,69 +37899,62 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "modified": "2023-03-28T20:49:53.223Z", + "name": "GOLD SOUTHFIELD", + "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)", + "aliases": [ + "GOLD SOUTHFIELD", + "Pinchy Spider" ], - "id": "x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.271Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.271Z", - "name": "Scheduled Job Metadata", - "description": "Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.", - "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2022-10-07T16:19:46.282Z", - "name": "User Account Authentication", - "description": "An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)", - "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", "x_mitre_deprecated": false, - "x_mitre_version": "1.1", - "type": "x-mitre-data-component", - "id": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", - "created": "2021-10-20T15:05:19.271Z", + "x_mitre_version": "2.0", + "x_mitre_contributors": [ + "Thijn Bukkems, Amazon" + ], + "type": "intrusion-set", + "id": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", + "created": "2020-09-22T19:41:27.845Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0115", + "external_id": "G0115" + }, + { + "source_name": "Pinchy Spider", + "description": "(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)" + }, + { + "source_name": "Secureworks REvil September 2019", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" + }, + { + "source_name": "CrowdStrike Evolution of Pinchy Spider July 2021", + "description": "Meyers, Adam. (2021, July 6). The Evolution of PINCHY SPIDER from GandCrab to REvil. Retrieved March 28, 2023.", + "url": "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/" + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection" + }, + { + "source_name": "Secureworks GOLD SOUTHFIELD", + "description": "Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020.", + "url": "https://www.secureworks.com/research/threat-profiles/gold-southfield" + } + ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" ], - "id": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.273Z", - "name": "Service Metadata", - "description": "Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.", - "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.271Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.271Z", - "name": "Scheduled Job Modification", - "description": "Changes made to a scheduled job, such as modifications to the execution launch (ex: Windows EID 4702 or /var/log cron logs)", - "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { @@ -27520,120 +38048,185 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "id": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", + "id": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3", "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.273Z", + "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.273Z", - "name": "Drive Creation", - "description": "Initial construction of a drive letter or mount point to a data storage device", - "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Scheduled Job Creation", + "description": "Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-22T05:44:27.289Z", - "name": "Wizard Spider", - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", - "aliases": [ - "Wizard Spider", - "UNC1878", - "TEMP.MixMaster", - "Grim Spider" - ], - "x_mitre_deprecated": false, - "x_mitre_version": "2.1", - "x_mitre_contributors": [ - "Edward Millington", - "Oleksiy Gayda" - ], - "type": "intrusion-set", - "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "created": "2020-05-12T18:15:29.396Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/groups/G0102", - "external_id": "G0102" - }, - { - "source_name": "Grim Spider", - "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)" - }, - { - "source_name": "UNC1878", - "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)" - }, - { - "source_name": "TEMP.MixMaster", - "description": "(Citation: FireEye Ryuk and Trickbot January 2019)" - }, - { - "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", - "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", - "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" - }, - { - "source_name": "FireEye Ryuk and Trickbot January 2019", - "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", - "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" - }, - { - "source_name": "CrowdStrike Ryuk January 2019", - "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", - "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" - }, - { - "source_name": "CrowdStrike Grim Spider May 2019", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" - }, - { - "source_name": "FireEye KEGTAP SINGLEMALT October 2020", - "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", - "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" - }, - { - "source_name": "CrowdStrike Wizard Spider October 2020", - "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.", - "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "x_mitre_platforms": [ + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0015", + "external_id": "DS0015" + }, + { + "source_name": "Confluence Logs", + "description": "Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021.", + "url": "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + } + ], + "modified": "2022-05-11T14:00:00.188Z", + "name": "Application Log", + "description": "Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2023-03-24T19:14:55.615Z", - "name": "Operational Databases", - "description": "Operational databases contain information about the status of the operational process and associated devices, including any measurements, events, history, or alarms that have occurred", + "modified": "2022-12-07T19:50:43.993Z", + "name": "User Account", + "description": "A profile representing a user, device, service, or application used to authenticate and access resources", + "x_mitre_platforms": [ + "Azure AD", + "Containers", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], "x_mitre_deprecated": false, "x_mitre_domains": [ - "ics-attack" + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" ], - "x_mitre_version": "1.0", "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Container", "Host" ], "type": "x-mitre-data-source", - "id": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", - "created": "2022-05-11T16:22:58.802Z", + "id": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0040", - "external_id": "DS0040" + "url": "https://attack.mitre.org/datasources/DS0002", + "external_id": "DS0002" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0033", + "external_id": "DS0033" + }, + { + "source_name": "Microsoft NFS Overview", + "description": "Microsoft. (2018, July 9). Network File System overview. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview" + } + ], + "modified": "2022-03-30T14:26:51.806Z", + "name": "Network Share", + "description": "A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-12-07T19:35:34.863Z", + "name": "File", + "description": "A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt)", + "x_mitre_platforms": [ + "Linux", + "Network", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0022", + "external_id": "DS0022" + }, + { + "source_name": "Microsoft File Mgmt", + "description": "Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management" } ], "object_marking_refs": [ @@ -27689,47 +38282,73 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2022-12-07T19:45:09.019Z", - "name": "Logon Session", - "description": "Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events)", "x_mitre_platforms": [ - "Azure AD", - "Google Workspace", - "IaaS", "Linux", - "Office 365", - "SaaS", "Windows", "macOS" ], - "x_mitre_deprecated": false, "x_mitre_domains": [ "enterprise-attack" ], - "x_mitre_version": "1.1", "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_collection_layers": [ - "Cloud Control Plane", - "Host", - "Network" + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0019", + "external_id": "DS0019" + }, + { + "source_name": "Microsoft Services", + "description": "Microsoft. (2017, March 30). Introduction to Windows Service Applications. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications" + }, + { + "source_name": "Linux Services Run Levels", + "description": "The Linux Foundation. (2006, January 11). An introduction to services, runlevels, and rc.d scripts. Retrieved September 28, 2021.", + "url": "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + } + ], + "modified": "2022-03-30T14:26:51.807Z", + "name": "Service", + "description": "A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-24T19:14:55.615Z", + "name": "Operational Databases", + "description": "Operational databases contain information about the status of the operational process and associated devices, including any measurements, events, history, or alarms that have occurred", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_collection_layers": [ + "Host" ], "type": "x-mitre-data-source", - "id": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", - "created": "2021-10-20T15:05:19.274Z", + "id": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "created": "2022-05-11T16:22:58.802Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0028", - "external_id": "DS0028" - }, - { - "source_name": "Microsoft Audit Logon Events", - "description": "Microsoft. (2021, September 6). Audit logon events. Retrieved September 28, 2021.", - "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + "url": "https://attack.mitre.org/datasources/DS0040", + "external_id": "DS0040" } ], "object_marking_refs": [ @@ -27739,47 +38358,48 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "modified": "2023-04-20T18:38:13.356Z", + "name": "Network Traffic", + "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)", "x_mitre_platforms": [ - "Google Workspace", "IaaS", "Linux", - "Office 365", - "SaaS", "Windows", - "macOS" + "macOS", + "Android", + "iOS" ], + "x_mitre_deprecated": false, "x_mitre_domains": [ "enterprise-attack", - "ics-attack" + "mobile-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "ExtraHop" ], "x_mitre_collection_layers": [ "Cloud Control Plane", - "Host" + "Host", + "Network" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0029", + "external_id": "DS0029" + } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "id": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", - "type": "x-mitre-data-source", - "created": "2021-10-20T15:05:19.272Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0015", - "external_id": "DS0015" - }, - { - "source_name": "Confluence Logs", - "description": "Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021.", - "url": "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" - } - ], - "modified": "2022-05-11T14:00:00.188Z", - "name": "Application Log", - "description": "Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { @@ -27837,6 +38457,253 @@ "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "x_mitre_platforms": [ + "Containers", + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Container", + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0003", + "external_id": "DS0003" + }, + { + "source_name": "Microsoft Tasks", + "description": "Microsoft. (2018, May 31). Tasks. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" + } + ], + "modified": "2022-03-30T14:26:51.806Z", + "name": "Scheduled Job", + "description": "Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2023-03-24T19:14:15.637Z", + "name": "Asset", + "description": "Data sources with information about the set of devices found within the network, along with their current software and configurations", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", + "created": "2022-05-11T16:22:58.802Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0039", + "external_id": "DS0039" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0024", + "external_id": "DS0024" + }, + { + "source_name": "Microsoft Registry", + "description": "Microsoft. (2018, May 31). Registry. Retrieved September 29, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" + } + ], + "modified": "2022-05-11T14:00:00.188Z", + "name": "Windows Registry", + "description": "A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0011", + "external_id": "DS0011" + }, + { + "source_name": "Microsoft LoadLibrary", + "description": "Microsoft. (2018, December 5). LoadLibraryA function (libloaderapi.h). Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya" + }, + { + "source_name": "Microsoft Module Class", + "description": "Microsoft. (n.d.). Module Class. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module" + } + ], + "modified": "2022-03-30T14:26:51.806Z", + "name": "Module", + "description": "Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-12-07T19:45:09.019Z", + "name": "Logon Session", + "description": "Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events)", + "x_mitre_platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host", + "Network" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0028", + "external_id": "DS0028" + }, + { + "source_name": "Microsoft Audit Logon Events", + "description": "Microsoft. (2021, September 6). Audit logon events. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0016", + "external_id": "DS0016" + }, + { + "source_name": "Sysmon EID 9", + "description": "Russinovich, R. & Garnier, T. (2021, August 18). Sysmon Event ID 9. Retrieved September 24, 2021.", + "url": "https://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread" + } + ], + "modified": "2022-03-30T14:26:51.804Z", + "name": "Drive", + "description": "A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "modified": "2022-12-07T19:50:56.964Z", "name": "Script", @@ -27888,249 +38755,6 @@ "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "modified": "2023-04-20T18:38:13.356Z", - "name": "Network Traffic", - "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)", - "x_mitre_platforms": [ - "IaaS", - "Linux", - "Windows", - "macOS", - "Android", - "iOS" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "enterprise-attack", - "mobile-attack" - ], - "x_mitre_version": "1.1", - "x_mitre_contributors": [ - "Center for Threat-Informed Defense (CTID)", - "ExtraHop" - ], - "x_mitre_collection_layers": [ - "Cloud Control Plane", - "Host", - "Network" - ], - "type": "x-mitre-data-source", - "id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", - "created": "2021-10-20T15:05:19.274Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0029", - "external_id": "DS0029" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "x_mitre_platforms": [ - "Linux", - "Windows", - "macOS" - ], - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_contributors": [ - "Center for Threat-Informed Defense (CTID)" - ], - "x_mitre_collection_layers": [ - "Host" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", - "type": "x-mitre-data-source", - "created": "2021-10-20T15:05:19.272Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0011", - "external_id": "DS0011" - }, - { - "source_name": "Microsoft LoadLibrary", - "description": "Microsoft. (2018, December 5). LoadLibraryA function (libloaderapi.h). Retrieved September 28, 2021.", - "url": "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya" - }, - { - "source_name": "Microsoft Module Class", - "description": "Microsoft. (n.d.). Module Class. Retrieved September 28, 2021.", - "url": "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module" - } - ], - "modified": "2022-03-30T14:26:51.806Z", - "name": "Module", - "description": "Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "x_mitre_platforms": [ - "Windows" - ], - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_collection_layers": [ - "Host" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", - "type": "x-mitre-data-source", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0024", - "external_id": "DS0024" - }, - { - "source_name": "Microsoft Registry", - "description": "Microsoft. (2018, May 31). Registry. Retrieved September 29, 2021.", - "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry" - } - ], - "modified": "2022-05-11T14:00:00.188Z", - "name": "Windows Registry", - "description": "A Windows OS hierarchical database that stores much of the information and settings for software programs, hardware devices, user preferences, and operating-system configurations(Citation: Microsoft Registry)", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2023-03-24T19:14:15.637Z", - "name": "Asset", - "description": "Data sources with information about the set of devices found within the network, along with their current software and configurations", - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", - "x_mitre_collection_layers": [ - "Host" - ], - "type": "x-mitre-data-source", - "id": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", - "created": "2022-05-11T16:22:58.802Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0039", - "external_id": "DS0039" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2022-12-07T19:35:34.863Z", - "name": "File", - "description": "A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt)", - "x_mitre_platforms": [ - "Linux", - "Network", - "Windows", - "macOS" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_version": "1.0", - "x_mitre_contributors": [ - "Center for Threat-Informed Defense (CTID)" - ], - "x_mitre_collection_layers": [ - "Host" - ], - "type": "x-mitre-data-source", - "id": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0022", - "external_id": "DS0022" - }, - { - "source_name": "Microsoft File Mgmt", - "description": "Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021.", - "url": "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "x_mitre_platforms": [ - "Linux", - "Windows", - "macOS" - ], - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_contributors": [ - "Center for Threat-Informed Defense (CTID)" - ], - "x_mitre_collection_layers": [ - "Host" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", - "type": "x-mitre-data-source", - "created": "2021-10-20T15:05:19.272Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0016", - "external_id": "DS0016" - }, - { - "source_name": "Sysmon EID 9", - "description": "Russinovich, R. & Garnier, T. (2021, August 18). Sysmon Event ID 9. Retrieved September 24, 2021.", - "url": "https://docs.microsoft.com/sysinternals/downloads/sysmon#event-id-9-rawaccessread" - } - ], - "modified": "2022-03-30T14:26:51.804Z", - "name": "Drive", - "description": "A non-volatile data storage device (hard drive, floppy disk, USB flash drive) with at least one formatted partition, typically mounted to the file system and/or assigned a drive letter(Citation: Sysmon EID 9)", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "x_mitre_platforms": [ "Linux", @@ -28167,182 +38791,6 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "x_mitre_platforms": [ - "Containers", - "Linux", - "Windows", - "macOS" - ], - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_contributors": [ - "Center for Threat-Informed Defense (CTID)" - ], - "x_mitre_collection_layers": [ - "Container", - "Host" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", - "type": "x-mitre-data-source", - "created": "2021-10-20T15:05:19.271Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0003", - "external_id": "DS0003" - }, - { - "source_name": "Microsoft Tasks", - "description": "Microsoft. (2018, May 31). Tasks. Retrieved September 28, 2021.", - "url": "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" - } - ], - "modified": "2022-03-30T14:26:51.806Z", - "name": "Scheduled Job", - "description": "Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "x_mitre_platforms": [ - "Linux", - "Windows", - "macOS" - ], - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_contributors": [ - "Center for Threat-Informed Defense (CTID)" - ], - "x_mitre_collection_layers": [ - "Host" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", - "type": "x-mitre-data-source", - "created": "2021-10-20T15:05:19.274Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0033", - "external_id": "DS0033" - }, - { - "source_name": "Microsoft NFS Overview", - "description": "Microsoft. (2018, July 9). Network File System overview. Retrieved September 28, 2021.", - "url": "https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview" - } - ], - "modified": "2022-03-30T14:26:51.806Z", - "name": "Network Share", - "description": "A storage resource (typically a folder or drive) made available from one host to others using network protocols, such as Server Message Block (SMB) or Network File System (NFS)(Citation: Microsoft NFS Overview)", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "x_mitre_platforms": [ - "Linux", - "Windows", - "macOS" - ], - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_contributors": [ - "Center for Threat-Informed Defense (CTID)" - ], - "x_mitre_collection_layers": [ - "Host" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", - "type": "x-mitre-data-source", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0019", - "external_id": "DS0019" - }, - { - "source_name": "Microsoft Services", - "description": "Microsoft. (2017, March 30). Introduction to Windows Service Applications. Retrieved September 28, 2021.", - "url": "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications" - }, - { - "source_name": "Linux Services Run Levels", - "description": "The Linux Foundation. (2006, January 11). An introduction to services, runlevels, and rc.d scripts. Retrieved September 28, 2021.", - "url": "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" - } - ], - "modified": "2022-03-30T14:26:51.807Z", - "name": "Service", - "description": "A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2022-12-07T19:50:43.993Z", - "name": "User Account", - "description": "A profile representing a user, device, service, or application used to authenticate and access resources", - "x_mitre_platforms": [ - "Azure AD", - "Containers", - "Google Workspace", - "IaaS", - "Linux", - "Office 365", - "SaaS", - "Windows", - "macOS" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_version": "1.1", - "x_mitre_contributors": [ - "Center for Threat-Informed Defense (CTID)" - ], - "x_mitre_collection_layers": [ - "Cloud Control Plane", - "Container", - "Host" - ], - "type": "x-mitre-data-source", - "id": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", - "created": "2021-10-20T15:05:19.271Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0002", - "external_id": "DS0002" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "x_mitre_domains": [ "ics-attack" @@ -28362,6 +38810,21 @@ "name": "APT34", "x_mitre_version": "1.0" }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2018-10-17T00:14:20.652Z", + "relationship_type": "revoked-by", + "source_ref": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6", + "target_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -28382,18 +38845,34 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "type": "relationship", + "id": "relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c", + "created": "2023-09-27T13:17:12.592Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Andy Greenberg June 2017", + "description": "Andy Greenberg. (2017, June 28). How an Entire Nation Became Russia's Test Lab for Cyberwar. Retrieved September 27, 2023.", + "url": "https://www.wired.com/story/russian-hackers-attack-ukraine/" + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download" + } + ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "id": "relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb", - "type": "relationship", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2018-10-17T00:14:20.652Z", - "relationship_type": "revoked-by", - "source_ref": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "x_mitre_version": "1.0", + "modified": "2023-09-27T13:37:24.610Z", + "description": "(Citation: Andy Greenberg June 2017) (Citation: US District Court Indictment GRU Unit 74455 October 2020)", + "relationship_type": "attributed-to", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { diff --git a/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json b/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json index 49a8aa5c2b..5efeaa8966 100644 --- a/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json +++ b/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--980aaf59-907a-45de-a2cb-591831336d1b", + "id": "bundle--c291008f-73b4-43ed-bbee-2a9a488c8fdd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json b/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json index 5848772a4d..fed611419a 100644 --- a/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json +++ b/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8eb81101-b697-4838-95ed-743d52c74fbe", + "id": "bundle--2269e8c3-0635-411d-a906-30243700cf7c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json b/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json index 8d28fe5fe2..c66eb00831 100644 --- a/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json +++ b/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bb0972a5-450a-4e6d-b585-e3b2a771a600", + "id": "bundle--d7b506e1-622d-4d0d-914f-9474b806e275", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json b/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json index f4ea7a1436..0f3612dfc8 100644 --- a/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json +++ b/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--59720d00-615e-4878-b5ab-736e626221c9", + "id": "bundle--328c6b9c-e943-4475-96a4-04a0ffa6856d", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-08T22:03:28.170Z", + "modified": "2023-10-01T02:45:48.973Z", "name": "Dragonfly", "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)", "aliases": [ @@ -18,7 +18,7 @@ "Energetic Bear" ], "x_mitre_deprecated": false, - "x_mitre_version": "3.1", + "x_mitre_version": "3.2", "x_mitre_contributors": [ "Dragos Threat Intelligence" ], @@ -138,7 +138,7 @@ "enterprise-attack", "ics-attack" ], - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] diff --git a/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json b/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json index 034ce703c2..796bc06806 100644 --- a/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json +++ b/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f63836fc-0e73-477e-9a42-5c51c1519324", + "id": "bundle--11e0699e-de3e-4705-8f0a-ef759581da8d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json b/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json index 9b4e559e2a..f10631fca4 100644 --- a/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json +++ b/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json @@ -1,12 +1,12 @@ { "type": "bundle", - "id": "bundle--c927b2ed-c149-416c-bf1c-a70469663b37", + "id": "bundle--739f1084-ef29-41ff-896b-a82d7ddfb72e", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-22T03:51:04.185Z", + "modified": "2023-10-04T18:10:49.054Z", "name": "FIN7", - "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)", + "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)", "aliases": [ "FIN7", "GOLD NIAGARA", @@ -14,7 +14,7 @@ "Carbon Spider" ], "x_mitre_deprecated": false, - "x_mitre_version": "2.2", + "x_mitre_version": "3.0", "x_mitre_contributors": [ "Edward Millington" ], @@ -41,6 +41,11 @@ "source_name": "GOLD NIAGARA", "description": "(Citation: Secureworks GOLD NIAGARA Threat Profile)" }, + { + "source_name": "Mandiant FIN7 Apr 2022", + "description": "Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.", + "url": "https://www.mandiant.com/resources/evolution-of-fin7" + }, { "source_name": "FireEye CARBANAK June 2017", "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.", @@ -98,7 +103,7 @@ "enterprise-attack", "ics-attack" ], - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] diff --git a/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json b/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json index 78c016477b..0a22c75981 100644 --- a/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json +++ b/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--8b7af9cc-74d3-4224-9d6b-8270ac0079a8", + "id": "bundle--41f5ba04-1dbb-498c-a0a9-554b6cb03fdf", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-08T22:12:31.238Z", + "modified": "2023-10-06T14:13:06.011Z", "name": "Sandworm Team", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)", "aliases": [ @@ -18,7 +18,7 @@ "IRIDIUM" ], "x_mitre_deprecated": false, - "x_mitre_version": "3.0", + "x_mitre_version": "3.1", "x_mitre_contributors": [ "Dragos Threat Intelligence" ], @@ -130,11 +130,11 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_domains": [ - "ics-attack", "enterprise-attack", + "ics-attack", "mobile-attack" ], - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] diff --git a/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json b/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json index 4e3f6e81cf..a7f21cfec3 100644 --- a/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json +++ b/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e6a6e0b9-6b67-4ccc-8556-517018ace9e8", + "id": "bundle--5ccc16dd-b7b6-4703-b0f3-48cd9518b6a2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json b/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json index 41c6821192..122cd569fa 100644 --- a/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json +++ b/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--97f420fa-f87c-4de4-a263-e0cb30d14702", + "id": "bundle--0d45dbe7-5faf-427f-8734-f91ccbe22f24", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json b/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json index db8bc0a033..15357d26fc 100644 --- a/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json +++ b/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--21b8d210-516c-4cf9-a725-8c65bb30f9af", + "id": "bundle--3ca7b607-30ac-4acc-bd00-b2ae4d77839a", "spec_version": "2.0", "objects": [ { @@ -11,8 +11,8 @@ "Berserk Bear" ], "x_mitre_domains": [ - "ics-attack", - "enterprise-attack" + "enterprise-attack", + "ics-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" diff --git a/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json b/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json index 1b2d73bd95..28eabcb3ba 100644 --- a/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json +++ b/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a0a9261a-9256-47ce-8646-330f765b3baa", + "id": "bundle--32e41a42-ba29-4fb3-8431-35657a94d2cb", "spec_version": "2.0", "objects": [ { @@ -65,8 +65,8 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_domains": [ - "ics-attack", - "enterprise-attack" + "enterprise-attack", + "ics-attack" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" diff --git a/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json b/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json index a2408e7aca..8fc4aef94d 100644 --- a/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json +++ b/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d7950267-aecb-4eaf-bbdd-7124d9224bea", + "id": "bundle--a12060e7-b7a6-44e3-bc04-79282729813d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json b/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json index f5c24084c9..a61d02bc5c 100644 --- a/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json +++ b/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--95f75d2e-8cbf-460b-a3a2-efbf99ef2f7e", + "id": "bundle--54c7a646-4acc-4a40-a011-ed06b7c326eb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json b/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json index 97985709a4..14617b990c 100644 --- a/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json +++ b/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json @@ -1,20 +1,24 @@ { "type": "bundle", - "id": "bundle--f8b9df8b-ef3a-4341-96e9-45929ffcb62c", + "id": "bundle--c7da4d37-4439-4edf-80e1-3fec93d4d607", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-22T05:44:27.289Z", + "modified": "2023-09-12T14:35:52.920Z", "name": "Wizard Spider", - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", - "Grim Spider" + "Grim Spider", + "FIN12", + "GOLD BLACKBURN", + "ITG23", + "Periwinkle Tempest" ], "x_mitre_deprecated": false, - "x_mitre_version": "2.1", + "x_mitre_version": "3.0", "x_mitre_contributors": [ "Edward Millington", "Oleksiy Gayda" @@ -42,6 +46,22 @@ "source_name": "TEMP.MixMaster", "description": "(Citation: FireEye Ryuk and Trickbot January 2019)" }, + { + "source_name": "ITG23", + "description": "(Citation: IBM X-Force ITG23 Oct 2021)" + }, + { + "source_name": "FIN12", + "description": "(Citation: Mandiant FIN12 Oct 2021)" + }, + { + "source_name": "GOLD BLACKBURN", + "description": "(Citation: Secureworks Gold Blackburn Mar 2022)" + }, + { + "source_name": "Periwinkle Tempest", + "description": "(Citation: Secureworks Gold Blackburn Mar 2022)" + }, { "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", @@ -71,6 +91,21 @@ "source_name": "CrowdStrike Wizard Spider October 2020", "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.", "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" + }, + { + "source_name": "Secureworks Gold Blackburn Mar 2022", + "description": "Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.", + "url": "https://www.secureworks.com/research/threat-profiles/gold-blackburn" + }, + { + "source_name": "Mandiant FIN12 Oct 2021", + "description": "Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.", + "url": "https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" + }, + { + "source_name": "IBM X-Force ITG23 Oct 2021", + "description": "Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.", + "url": "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/" } ], "object_marking_refs": [ diff --git a/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json b/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json index a845e1aa4c..cd170e6830 100644 --- a/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json +++ b/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0c1a7584-83ac-42bc-afe5-20c74825315b", + "id": "bundle--f1907863-a695-4309-bc9b-e7b0c0c87931", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json b/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json index b12f82815f..7a447be07b 100644 --- a/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json +++ b/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cfa888f4-d07f-4399-9774-9e7bed10e2f9", + "id": "bundle--5f186112-a566-4603-894e-8de363c64423", "spec_version": "2.0", "objects": [ { @@ -65,8 +65,8 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" + "ics-attack", + "enterprise-attack" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" diff --git a/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json b/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json index 1d75218596..97c966b200 100644 --- a/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json +++ b/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fa8e6294-60d7-45f2-800e-038db9f8edf2", + "id": "bundle--39dad142-b8f4-4bfb-92ef-4ad6a3880bb1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json b/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json index 4715dccf53..ba99be7a8e 100644 --- a/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json +++ b/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1839570a-8279-474a-9c50-e53609c106e4", + "id": "bundle--999b4ff4-2d45-4c07-adf5-06df2a6f790d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json b/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json index df3f1f0ecd..020e9ab5a5 100644 --- a/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json +++ b/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b157423a-32e7-446a-b821-04f30e477968", + "id": "bundle--3b7a1fd6-777b-4d65-ac4e-aee777341d03", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json b/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json index 34a511998d..fb088e6507 100644 --- a/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json +++ b/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--11d7ae20-2dac-40dc-b3e9-011cdab559ba", + "id": "bundle--da684ed9-78cb-4d25-b4da-d737926f3714", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json b/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json index 5f1eb9fc5e..8238a4db07 100644 --- a/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json +++ b/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--38736127-7364-46ec-8bac-dc13ce2b1580", + "id": "bundle--1d6fefe2-7ea6-47d3-8229-6333f6d873c8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json b/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json index db3d6948b0..48f5bcf7d9 100644 --- a/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json +++ b/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d8fc0555-f3d0-4619-b6ff-eaabddced37f", + "id": "bundle--3bc5b95d-f073-4f0f-a8ef-78bba9a388cd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json b/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json index 8207e961b4..e8a328e134 100644 --- a/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json +++ b/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eef19592-11e6-4fc3-a557-25f0848e5421", + "id": "bundle--1b91ad2e-11d3-46f4-ad50-d32ce36d46c3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json b/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json index a37e42b84c..9a6273f05c 100644 --- a/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json +++ b/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cf631640-1f28-441b-931c-119c4b07efaa", + "id": "bundle--25091304-e11b-4d5f-a8dc-2392ccd6672c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json b/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json index 39095c517a..f3f09ef834 100644 --- a/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json +++ b/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9683e341-d9dd-42ee-8e84-8a9db39ad4dd", + "id": "bundle--3b0406d5-047f-40cc-99cc-4ab9259910e3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json b/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json index aca89721a1..f13aaf9e40 100644 --- a/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json +++ b/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--f58b61b1-5240-43de-82e3-4b05cf24fd6b", + "id": "bundle--ebdfe94d-af0c-47bc-bd12-8ac777a7deb2", "spec_version": "2.0", "objects": [ { - "modified": "2022-10-12T17:33:00.482Z", + "modified": "2023-10-06T14:08:40.134Z", "name": "BlackEnergy", "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)", "x_mitre_platforms": [ @@ -15,7 +15,7 @@ "enterprise-attack", "ics-attack" ], - "x_mitre_version": "1.3", + "x_mitre_version": "1.4", "x_mitre_aliases": [ "BlackEnergy", "Black Energy" @@ -43,7 +43,7 @@ "labels": [ "malware" ], - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] diff --git a/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json b/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json index 9d4391ebad..4bfcd9d442 100644 --- a/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json +++ b/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--338b0e88-c726-4d2f-a965-9c2a20c33495", + "id": "bundle--cb3289d7-9add-4e73-abcd-4429313efc2c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json b/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json index a317eb44d0..7e3beb7a36 100644 --- a/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json +++ b/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a341a1ee-4c32-4452-8182-cfecda94645d", + "id": "bundle--2d5634fb-c406-428f-8669-1ef3ab872a21", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json b/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json index b4df20f0ac..067343b5f2 100644 --- a/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json +++ b/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--afe3e47a-ece5-47f9-bc93-12aaead775c3", + "id": "bundle--2d3fe5c4-427f-4c11-8eab-847c42331e7e", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-08T22:03:50.370Z", + "modified": "2023-10-17T20:05:34.648Z", "name": "LockerGoga", "description": "[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that was first reported in January 2019, and has been tied to various attacks on European companies, including industrial and manufacturing firms.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)", "x_mitre_platforms": [ @@ -17,7 +17,7 @@ ], "x_mitre_version": "2.0", "x_mitre_contributors": [ - "Joe Slowik - Dragos" + "Joe Slowik - Dragos" ], "x_mitre_aliases": [ "LockerGoga" @@ -50,7 +50,7 @@ "labels": [ "malware" ], - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] diff --git a/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json b/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json index 129e2de5be..def1c0c39e 100644 --- a/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json +++ b/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5f28f337-c5fb-4d07-b8aa-2a9f3823035f", + "id": "bundle--e1831944-7bac-4a9a-abcd-d5571d105e93", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json b/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json index decfb5e18f..f8235a1939 100644 --- a/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json +++ b/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7f12df0a-5102-44aa-8043-a9a8036aec17", + "id": "bundle--db877a94-36c5-4400-ace1-f1575c7e7a17", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5.json b/ics-attack/malware/malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5.json index ce51b508d5..dae0cab29f 100644 --- a/ics-attack/malware/malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5.json +++ b/ics-attack/malware/malware--6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--41a14769-749e-4703-8500-0722289392e5", + "id": "bundle--9952f602-7da5-4ab6-8624-9ef8c0128446", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json b/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json index d510d0d760..56a10c3384 100644 --- a/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json +++ b/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bee3a09c-baf6-42ea-bec5-272d73911192", + "id": "bundle--7589ecb7-78e3-41d5-a518-e17fc615a974", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json b/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json index d0230c5442..85c1c16b78 100644 --- a/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json +++ b/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d7eda39f-af96-4ca3-9037-aab5ba71dbd6", + "id": "bundle--a31534f9-56b9-4c11-bbb5-6bfe0dc7692a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json b/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json index 632cbc9d91..e146e2fd7e 100644 --- a/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json +++ b/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--721ebd06-b632-4fe2-904f-395830502d99", + "id": "bundle--fa6e8f21-88b9-48e4-9f08-6663b050f6de", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json b/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json index d547db3907..e04d6f6ecf 100644 --- a/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json +++ b/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9ca9b74d-5977-4d2a-9343-ac25efa69a0d", + "id": "bundle--adc3a761-05ab-46e2-ab60-4818e6865ebd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json b/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json index 85653b615a..3227fb1c34 100644 --- a/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json +++ b/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5b7fce69-aba4-4114-8305-b96998b2f4e9", + "id": "bundle--25f7e0be-b876-4b1b-970c-1db76857e043", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json b/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json index 1bd8105d8b..1ae816d177 100644 --- a/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json +++ b/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json @@ -1,19 +1,21 @@ { "type": "bundle", - "id": "bundle--837242f4-62b8-4a41-9f21-2f57aecea834", + "id": "bundle--332c6aea-4c8e-41fa-bab0-e584aa3b1e51", "spec_version": "2.0", "objects": [ { - "labels": [ - "malware" - ], + "modified": "2023-08-09T18:11:35.634Z", + "name": "Ryuk", + "description": "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)", "x_mitre_platforms": [ "Windows" ], + "x_mitre_deprecated": false, "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], + "x_mitre_version": "1.4", "x_mitre_contributors": [ "The DFIR Report, @TheDFIRReport", "Matt Brenton, Zurich Insurance Group" @@ -21,18 +23,16 @@ "x_mitre_aliases": [ "Ryuk" ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "malware", "id": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", "created": "2020-05-13T20:14:53.171Z", - "x_mitre_version": "1.3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", - "external_id": "S0446", - "url": "https://attack.mitre.org/software/S0446" + "url": "https://attack.mitre.org/software/S0446", + "external_id": "S0446" }, { "source_name": "Ryuk", @@ -40,32 +40,32 @@ }, { "source_name": "Bleeping Computer - Ryuk WoL", - "url": "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/", - "description": "Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021." + "description": "Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.", + "url": "https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/" }, { "source_name": "FireEye Ryuk and Trickbot January 2019", - "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", - "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020." + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" }, { "source_name": "CrowdStrike Ryuk January 2019", - "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", - "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020." + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" }, { "source_name": "FireEye FIN6 Apr 2019", - "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", - "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019." + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" } ], - "x_mitre_deprecated": false, - "revoked": false, - "description": "[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)", - "modified": "2022-05-24T21:10:44.381Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Ryuk", - "x_mitre_attack_spec_version": "2.1.0", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "labels": [ + "malware" + ], + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] diff --git a/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json b/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json index 3a287cbf89..96b6773e7c 100644 --- a/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json +++ b/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6a3280e9-d3ac-4ad3-a1af-8dad84d433fd", + "id": "bundle--011f275f-13c1-4dfb-b29b-08a19f3b8f82", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json b/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json index 2871cf2af4..775cf7ff3c 100644 --- a/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json +++ b/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b292fc1d-b73c-4699-93df-13f31a2c4f6a", + "id": "bundle--d35f5bb5-0670-4ccd-adbc-4db1f552627c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json b/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json index e4e00978aa..d440fbea78 100644 --- a/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json +++ b/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ca8d9702-4eb6-4584-b3b5-e8c7f2ad6751", + "id": "bundle--72578681-8780-4b3f-af60-41a9c9633706", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json b/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json index 02d9029b66..12abcd8489 100644 --- a/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json +++ b/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--a84ff427-8c1b-4700-bcd5-9f862a1ac096", + "id": "bundle--65a6037c-9e83-4876-8950-a2d6339086b1", "spec_version": "2.0", "objects": [ { - "modified": "2023-03-08T22:13:42.357Z", + "modified": "2023-10-06T14:09:52.833Z", "name": "KillDisk", "description": "[KillDisk](https://attack.mitre.org/software/S0607) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://attack.mitre.org/software/S0089) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://attack.mitre.org/software/S0607) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://attack.mitre.org/software/S0607) variants.(Citation: KillDisk Ransomware)(Citation: ESEST Black Energy Jan 2016)(Citation: Trend Micro KillDisk 1)(Citation: Trend Micro KillDisk 2)", "x_mitre_platforms": [ @@ -16,7 +16,7 @@ "enterprise-attack", "ics-attack" ], - "x_mitre_version": "1.1", + "x_mitre_version": "1.2", "x_mitre_aliases": [ "KillDisk", "Win32/KillDisk.NBI", @@ -63,7 +63,7 @@ "labels": [ "malware" ], - "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] diff --git a/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json b/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json index 267624d534..f1717d406c 100644 --- a/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json +++ b/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json @@ -1,10 +1,10 @@ { "type": "bundle", - "id": "bundle--ecda400a-e104-4623-a754-e90807fd5315", + "id": "bundle--21ba8742-fad8-4ac3-ba34-c1d9d493b2a4", "spec_version": "2.0", "objects": [ { - "modified": "2022-10-20T20:37:50.556Z", + "modified": "2023-10-17T20:09:38.062Z", "name": "Industroyer", "description": "[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)", "x_mitre_platforms": [ @@ -18,7 +18,7 @@ "x_mitre_version": "1.1", "x_mitre_contributors": [ "Dragos Threat Intelligence", - "Joe Slowik - Dragos" + "Joe Slowik - Dragos" ], "x_mitre_aliases": [ "Industroyer", @@ -66,7 +66,7 @@ "labels": [ "malware" ], - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] diff --git a/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json b/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json index 3fde035459..c953079df8 100644 --- a/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json +++ b/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5fbee592-38c2-4db0-bf1f-a0438fa93c97", + "id": "bundle--aba93855-c8e5-4253-bc42-7f2b88ea701b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json b/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json index f089c64454..208bfe3c3d 100644 --- a/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json +++ b/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e458d9eb-2f22-4954-a490-d84f5504adbd", + "id": "bundle--364a5bc0-916a-408b-a2eb-e6c49e47f782", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--007a2c53-fc5c-4750-aff0-defb282e178a.json b/ics-attack/relationship/relationship--007a2c53-fc5c-4750-aff0-defb282e178a.json new file mode 100644 index 0000000000..5d20c44ddf --- /dev/null +++ b/ics-attack/relationship/relationship--007a2c53-fc5c-4750-aff0-defb282e178a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4807ac97-7f90-4adb-8e9f-74fe57618512", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--007a2c53-fc5c-4750-aff0-defb282e178a", + "created": "2023-09-29T16:30:30.829Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:30:30.829Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--00b98fa6-4913-40a4-8920-befed8621c41.json b/ics-attack/relationship/relationship--00b98fa6-4913-40a4-8920-befed8621c41.json index 1786841dc2..ecc2dd1e8e 100644 --- a/ics-attack/relationship/relationship--00b98fa6-4913-40a4-8920-befed8621c41.json +++ b/ics-attack/relationship/relationship--00b98fa6-4913-40a4-8920-befed8621c41.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f2e66b39-3e2e-4b07-a150-3a386996ad73", + "id": "bundle--3e039307-94a4-4ceb-a98c-62a696d3f21f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--00b9e63b-57a7-408e-83d6-fc03535010a6.json b/ics-attack/relationship/relationship--00b9e63b-57a7-408e-83d6-fc03535010a6.json new file mode 100644 index 0000000000..04038aea8a --- /dev/null +++ b/ics-attack/relationship/relationship--00b9e63b-57a7-408e-83d6-fc03535010a6.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--ca5781dd-fe93-4489-a192-c3ff3916f2f7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--00b9e63b-57a7-408e-83d6-fc03535010a6", + "created": "2023-09-27T14:39:33.141Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-27T15:17:22.734Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used Valid Accounts taken from the Windows Domain Controller to access the control system Virtual Private Network (VPN) used by grid operators. (Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json b/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json index 9de9361490..50554d3ea8 100644 --- a/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json +++ b/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ec48195d-870a-4719-99ef-03c1769e0f2d", + "id": "bundle--24bd6aea-30e4-4181-9b44-615f572a2c65", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--011f1d16-c9f1-48ac-94f1-165466c155f8.json b/ics-attack/relationship/relationship--011f1d16-c9f1-48ac-94f1-165466c155f8.json new file mode 100644 index 0000000000..b79852617c --- /dev/null +++ b/ics-attack/relationship/relationship--011f1d16-c9f1-48ac-94f1-165466c155f8.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--cb6a9564-b94d-4fab-b458-1e46507d357c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--011f1d16-c9f1-48ac-94f1-165466c155f8", + "created": "2023-09-29T18:43:33.176Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:43:33.176Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd.json b/ics-attack/relationship/relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd.json new file mode 100644 index 0000000000..b1a78ac214 --- /dev/null +++ b/ics-attack/relationship/relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f2933af0-50a4-49de-b61e-bf2133dd6de6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--012fd76f-1a10-4e48-9306-10ffae3f61dd", + "created": "2023-09-29T16:30:58.431Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:30:58.431Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--01335508-22bb-4185-a7e2-49ec9bee6423.json b/ics-attack/relationship/relationship--01335508-22bb-4185-a7e2-49ec9bee6423.json new file mode 100644 index 0000000000..9f6cb1d438 --- /dev/null +++ b/ics-attack/relationship/relationship--01335508-22bb-4185-a7e2-49ec9bee6423.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4e32d4fc-de44-4d0a-8e53-0d8e7c3a982f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--01335508-22bb-4185-a7e2-49ec9bee6423", + "created": "2023-09-28T20:15:20.293Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:15:20.293Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json b/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json index ac91e52e6d..306e6b5520 100644 --- a/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json +++ b/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a489d389-d34b-48ef-b635-30413e9854e7", + "id": "bundle--7af1a436-1c20-4512-b37f-cf5d8a22d0bd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0.json b/ics-attack/relationship/relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0.json new file mode 100644 index 0000000000..6198d78de2 --- /dev/null +++ b/ics-attack/relationship/relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e2f0f668-a32c-4bdf-9a9a-fe2b2a4363d1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--01d002a2-696a-4e22-b227-b0b32f54eaf0", + "created": "2023-09-29T18:42:27.894Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:42:27.894Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124.json b/ics-attack/relationship/relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124.json new file mode 100644 index 0000000000..59fca592ef --- /dev/null +++ b/ics-attack/relationship/relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e9cdc863-20b2-4dbe-a68b-b045c80cd2af", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--02117d44-46d2-41f0-a5fb-ba303e6ee124", + "created": "2023-09-29T18:55:47.037Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:55:47.037Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50.json b/ics-attack/relationship/relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50.json new file mode 100644 index 0000000000..2ce1d5cbbf --- /dev/null +++ b/ics-attack/relationship/relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--68c80c8d-0f33-4413-a231-ee4f9ad18399", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--026ba3e5-ae3b-4a8b-83c0-ea8327cd9e50", + "created": "2023-09-29T17:42:44.516Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:42:44.516Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0278ddbc-67d5-444d-8082-bf9974dee920.json b/ics-attack/relationship/relationship--0278ddbc-67d5-444d-8082-bf9974dee920.json index 55234173a0..e86336affe 100644 --- a/ics-attack/relationship/relationship--0278ddbc-67d5-444d-8082-bf9974dee920.json +++ b/ics-attack/relationship/relationship--0278ddbc-67d5-444d-8082-bf9974dee920.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2e295321-79e2-44af-b0b3-7e2a53a65f8e", + "id": "bundle--3514f481-9afd-465f-bfbc-925f4b573e94", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json b/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json index b7ffb3aa94..121320b616 100644 --- a/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json +++ b/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ed2527ae-58ae-4498-bfb7-41ec38c357d0", + "id": "bundle--df49b466-1bdc-447b-921c-b9d110e9dcc6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c.json b/ics-attack/relationship/relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c.json new file mode 100644 index 0000000000..c528cdca58 --- /dev/null +++ b/ics-attack/relationship/relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--335391c1-191b-4c06-a52a-4c4f84e61d8d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--02f547fd-2565-4130-a4be-c4ba7b5aeb0c", + "created": "2023-09-29T17:59:31.091Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:59:31.091Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--033b4401-261f-498b-89f3-2bad9ff5907a.json b/ics-attack/relationship/relationship--033b4401-261f-498b-89f3-2bad9ff5907a.json new file mode 100644 index 0000000000..3d39562bd3 --- /dev/null +++ b/ics-attack/relationship/relationship--033b4401-261f-498b-89f3-2bad9ff5907a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f9facff4-4be8-4e03-9516-551d4bb681b5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--033b4401-261f-498b-89f3-2bad9ff5907a", + "created": "2023-09-29T17:58:15.338Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:58:15.338Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json b/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json index 968171c506..bcace0e2ef 100644 --- a/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json +++ b/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--099aa404-bdb1-49aa-8333-1ee0aee3a186", + "id": "bundle--de28f811-f640-49ac-86db-ff03d2585089", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57.json b/ics-attack/relationship/relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57.json new file mode 100644 index 0000000000..38d1336c62 --- /dev/null +++ b/ics-attack/relationship/relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4a54b952-6df4-4068-8267-2c448438da4b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--03aab956-54f3-4e4b-93a7-6d1898d91b57", + "created": "2023-09-29T16:29:03.438Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:29:03.438Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022.json b/ics-attack/relationship/relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022.json index 806a2711ab..0da7e212ec 100644 --- a/ics-attack/relationship/relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022.json +++ b/ics-attack/relationship/relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c03fd171-0bc3-4a9e-83a4-5bbbca426efd", + "id": "bundle--35fbad0b-b716-4b87-a4da-f65a513b09c8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json b/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json index 2bf4120252..af52fd1d1b 100644 --- a/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json +++ b/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f215e062-dae1-4796-ada0-bd327f3db6f0", + "id": "bundle--11a78de1-51ad-489d-b359-e86b8a4025ba", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91.json b/ics-attack/relationship/relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91.json index 5b62dcf7be..dbeb6618d6 100644 --- a/ics-attack/relationship/relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91.json +++ b/ics-attack/relationship/relationship--03e80e3c-28b9-4e7f-8b17-7c86d1483b91.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--922e83d8-5a3f-44f6-a92d-849e51707365", + "id": "bundle--08b5d9f2-4bb3-4cc9-a402-5f8691f3ea4e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361.json b/ics-attack/relationship/relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361.json new file mode 100644 index 0000000000..ff83f04cfe --- /dev/null +++ b/ics-attack/relationship/relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--55fc8f55-b54f-44be-a721-1a19dc598be5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--03e94c12-cd51-4f39-a33d-c66a31bbf361", + "created": "2023-09-29T17:40:34.866Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:40:34.866Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--042243fd-bfe0-4961-96de-a36232d3ff74.json b/ics-attack/relationship/relationship--042243fd-bfe0-4961-96de-a36232d3ff74.json index 79d2f7abda..23aab3ff32 100644 --- a/ics-attack/relationship/relationship--042243fd-bfe0-4961-96de-a36232d3ff74.json +++ b/ics-attack/relationship/relationship--042243fd-bfe0-4961-96de-a36232d3ff74.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--22ed522d-05a1-4e3c-ab0d-5c2b583d3033", + "id": "bundle--c458efad-1b65-4119-870e-97ebc81c4c08", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json b/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json index 4bc2a670b4..c200bfd85a 100644 --- a/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json +++ b/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d921494d-55de-4e54-8a6b-dcaefe809595", + "id": "bundle--ac3903ee-6aa5-4563-8415-3e73da3bf0bc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json b/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json index 5594bca183..3f9e708ea7 100644 --- a/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json +++ b/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3f2a5ccb-49f8-4116-a2de-ddfafc41ac4e", + "id": "bundle--2c3ff387-4511-4ff3-b974-51731fa6c862", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863.json b/ics-attack/relationship/relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863.json new file mode 100644 index 0000000000..f174569534 --- /dev/null +++ b/ics-attack/relationship/relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a63dec32-5636-44b6-a61d-a8765cff7cae", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--04aad4a8-8b8c-45d9-bb34-508fe4792863", + "created": "2023-09-28T20:29:11.776Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:29:11.776Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json b/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json index 698fad0b19..14369df579 100644 --- a/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json +++ b/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ce95dcc8-4fb9-4b73-916a-24b8545b3404", + "id": "bundle--f118bcb8-9607-41c1-90dc-a3a128f8e12d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json b/ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json index ee32622b56..ae5330eb62 100644 --- a/ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json +++ b/ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--99635a42-1b05-4b6c-99e8-b0af13b71fdc", + "id": "bundle--2d26368d-dd75-427e-ae2e-689966a7c343", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--052552e9-eac0-4b37-9df8-2e921053e305.json b/ics-attack/relationship/relationship--052552e9-eac0-4b37-9df8-2e921053e305.json index 2bfc7ae247..2467a2fd6b 100644 --- a/ics-attack/relationship/relationship--052552e9-eac0-4b37-9df8-2e921053e305.json +++ b/ics-attack/relationship/relationship--052552e9-eac0-4b37-9df8-2e921053e305.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b191c7c5-d8d4-476a-b10f-b11bf7e9e52f", + "id": "bundle--16a100b1-d49b-4943-8201-727866a27708", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json b/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json index 9fb7833183..c09dcf13c1 100644 --- a/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json +++ b/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--97f4700c-8801-4444-a132-e9023fdd5a94", + "id": "bundle--f6e4a6c2-6944-4ae3-9e27-ec20cff1c5f3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json b/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json index 6c268c8446..c1545c9035 100644 --- a/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json +++ b/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fd96f454-33b5-4544-8fab-403822fc94b8", + "id": "bundle--cccdd824-ee71-4d05-80a0-19b33d334a15", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--06782c99-93de-4db9-9c30-6f96aef894d2.json b/ics-attack/relationship/relationship--06782c99-93de-4db9-9c30-6f96aef894d2.json index 0bec267d3f..57edcc0df6 100644 --- a/ics-attack/relationship/relationship--06782c99-93de-4db9-9c30-6f96aef894d2.json +++ b/ics-attack/relationship/relationship--06782c99-93de-4db9-9c30-6f96aef894d2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7edd1292-92ce-4981-82d2-bf3b186da4d5", + "id": "bundle--372d60b3-9c60-4d82-8622-670502a003f4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json b/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json index 5829800629..0d47b18512 100644 --- a/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json +++ b/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--320eee39-b451-423e-857c-9618106ebb70", + "id": "bundle--97055d6f-25a8-4395-8704-434fff54d850", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b.json b/ics-attack/relationship/relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b.json index 3e987534f8..d1318328b6 100644 --- a/ics-attack/relationship/relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b.json +++ b/ics-attack/relationship/relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--357a8321-406d-48ae-8743-fd03d6cce368", + "id": "bundle--bb1ab5c2-411f-4055-b194-071cca05fc27", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--06f15629-d050-434a-aed1-3bb3f90c97b2.json b/ics-attack/relationship/relationship--06f15629-d050-434a-aed1-3bb3f90c97b2.json index 6b8f907652..9f9bae1a39 100644 --- a/ics-attack/relationship/relationship--06f15629-d050-434a-aed1-3bb3f90c97b2.json +++ b/ics-attack/relationship/relationship--06f15629-d050-434a-aed1-3bb3f90c97b2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--623c6ed4-501d-4959-986c-72c6cb055cf1", + "id": "bundle--fe4bdf36-1505-44c0-a167-6807c84e7723", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd.json b/ics-attack/relationship/relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd.json index 6a83775c16..d876f7f11c 100644 --- a/ics-attack/relationship/relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd.json +++ b/ics-attack/relationship/relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--217c2f46-98bd-4031-bc92-2f70d905eecc", + "id": "bundle--70e1a5b9-421b-4add-a193-c788931ddbef", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e.json b/ics-attack/relationship/relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e.json new file mode 100644 index 0000000000..9cc89b3967 --- /dev/null +++ b/ics-attack/relationship/relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--85e30c58-16c5-44a0-a81e-811369477fe9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0750563d-a86c-4822-ab9c-0f2d3c304c6e", + "created": "2023-09-28T21:28:51.104Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:28:51.104Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--076bfea6-309e-4804-a147-dffe93983481.json b/ics-attack/relationship/relationship--076bfea6-309e-4804-a147-dffe93983481.json new file mode 100644 index 0000000000..c8218c4a4a --- /dev/null +++ b/ics-attack/relationship/relationship--076bfea6-309e-4804-a147-dffe93983481.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--983afaf7-8efb-4fdf-8909-e89af67a5aa7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--076bfea6-309e-4804-a147-dffe93983481", + "created": "2023-09-28T20:16:17.295Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:16:17.295Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--07c0e166-f05e-413f-8f3e-f487317c9626.json b/ics-attack/relationship/relationship--07c0e166-f05e-413f-8f3e-f487317c9626.json index 8c84bcd703..28e946803a 100644 --- a/ics-attack/relationship/relationship--07c0e166-f05e-413f-8f3e-f487317c9626.json +++ b/ics-attack/relationship/relationship--07c0e166-f05e-413f-8f3e-f487317c9626.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--79dc31fc-e363-4491-be71-f3762c1daf81", + "id": "bundle--2e92e904-5512-4b92-9002-c88d37ecb1af", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--07e06d21-e666-4274-838a-ef9996fdc0cd.json b/ics-attack/relationship/relationship--07e06d21-e666-4274-838a-ef9996fdc0cd.json new file mode 100644 index 0000000000..175cfd2cfe --- /dev/null +++ b/ics-attack/relationship/relationship--07e06d21-e666-4274-838a-ef9996fdc0cd.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f725a0b8-3e11-4a6e-8d40-e5177039bf43", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--07e06d21-e666-4274-838a-ef9996fdc0cd", + "created": "2023-09-28T20:05:45.540Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:05:45.540Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44.json b/ics-attack/relationship/relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44.json new file mode 100644 index 0000000000..d9fc36151a --- /dev/null +++ b/ics-attack/relationship/relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--5b828ea7-d8d4-44c4-8189-f31a29571bd2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--07f11dc3-60d7-42d3-a4f0-82eba85dfe44", + "created": "2023-09-29T16:47:20.192Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:47:20.192Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json b/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json index d7a8bc1610..46b55dcb11 100644 --- a/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json +++ b/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f2f82719-f987-46cd-920c-cd4a94bab3e3", + "id": "bundle--d174c5e3-51b1-437b-95ab-de633394d370", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json b/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json index 80a10430f0..ade4990c9e 100644 --- a/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json +++ b/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cd71570c-b9f4-47b7-a64c-f08980edd2a2", + "id": "bundle--6df72558-d4d5-4b00-9f88-a96bfe173107", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json b/ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json index 956816c0ff..c831796275 100644 --- a/ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json +++ b/ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--43a39739-58d3-447d-858e-ba28bf65307c", + "id": "bundle--7052e88a-ec78-4771-84d3-5f7b1a265701", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7.json b/ics-attack/relationship/relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7.json index 46691c120f..f521c7e11a 100644 --- a/ics-attack/relationship/relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7.json +++ b/ics-attack/relationship/relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2eaf09e1-84be-4ea0-9177-1f00128cdb36", + "id": "bundle--0da9b20b-a2b8-4bca-b037-9d1f1193d309", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0951222a-42d1-4635-bb12-5285bc6500e0.json b/ics-attack/relationship/relationship--0951222a-42d1-4635-bb12-5285bc6500e0.json new file mode 100644 index 0000000000..bc086c2039 --- /dev/null +++ b/ics-attack/relationship/relationship--0951222a-42d1-4635-bb12-5285bc6500e0.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ab5e2ccb-dc7c-43a9-9e75-42bd2cc62638", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0951222a-42d1-4635-bb12-5285bc6500e0", + "created": "2023-09-28T20:15:45.244Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:15:45.244Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--095456bc-898b-4c76-a062-ff0ea90aeab4.json b/ics-attack/relationship/relationship--095456bc-898b-4c76-a062-ff0ea90aeab4.json new file mode 100644 index 0000000000..c1d9fc3ead --- /dev/null +++ b/ics-attack/relationship/relationship--095456bc-898b-4c76-a062-ff0ea90aeab4.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--bc3afc6f-c89a-4b90-ab95-f32f3659d54d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--095456bc-898b-4c76-a062-ff0ea90aeab4", + "created": "2023-09-28T21:25:05.393Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:25:05.393Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--096c3136-dac9-4729-98c0-c8d870f2bd13.json b/ics-attack/relationship/relationship--096c3136-dac9-4729-98c0-c8d870f2bd13.json new file mode 100644 index 0000000000..91f37d2704 --- /dev/null +++ b/ics-attack/relationship/relationship--096c3136-dac9-4729-98c0-c8d870f2bd13.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c6fa4576-3a10-4b6f-acfe-0ad0390a4966", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--096c3136-dac9-4729-98c0-c8d870f2bd13", + "created": "2023-09-28T19:42:01.055Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:42:01.055Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json b/ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json index 71fcf46736..c8d8978c57 100644 --- a/ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json +++ b/ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--602477fd-fbb3-4d1e-8f45-2156f314c36e", + "id": "bundle--7f405124-4c94-4fe5-8f8e-9b38aac0a9ec", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--09e0c991-1707-431b-a0fd-fd8215e6d552.json b/ics-attack/relationship/relationship--09e0c991-1707-431b-a0fd-fd8215e6d552.json new file mode 100644 index 0000000000..756a2a6057 --- /dev/null +++ b/ics-attack/relationship/relationship--09e0c991-1707-431b-a0fd-fd8215e6d552.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8fe375fb-7dd5-4ccf-ab3b-19046894374e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--09e0c991-1707-431b-a0fd-fd8215e6d552", + "created": "2023-09-28T20:30:12.291Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:30:12.291Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6.json b/ics-attack/relationship/relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6.json new file mode 100644 index 0000000000..ec94d0d5f5 --- /dev/null +++ b/ics-attack/relationship/relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--eb1ea1b2-fe4e-4a98-a15d-b9be02e0b926", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--09e9ed5d-bf32-4aee-8441-774e21ffbdb6", + "created": "2023-09-28T19:53:56.266Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:53:56.266Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9.json b/ics-attack/relationship/relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9.json index c70dd65f66..b3cc210e0c 100644 --- a/ics-attack/relationship/relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9.json +++ b/ics-attack/relationship/relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--94e68f29-2e65-46c7-bda0-9a9310a0e6f6", + "id": "bundle--1f92beca-ecb9-4e06-9f6d-844bc57c3c2b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0a421699-f013-49f4-9d9f-01d95d210510.json b/ics-attack/relationship/relationship--0a421699-f013-49f4-9d9f-01d95d210510.json new file mode 100644 index 0000000000..4a1946a889 --- /dev/null +++ b/ics-attack/relationship/relationship--0a421699-f013-49f4-9d9f-01d95d210510.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e33be158-0251-4653-af0d-941aca505be4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0a421699-f013-49f4-9d9f-01d95d210510", + "created": "2023-09-28T19:37:25.214Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:37:25.214Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a.json b/ics-attack/relationship/relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a.json new file mode 100644 index 0000000000..be0ab56fd9 --- /dev/null +++ b/ics-attack/relationship/relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--654ab3ca-7554-4bc3-8c1d-524e186f34cb", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0a5002d3-cf0d-4e26-9fc4-8faff7f6578a", + "created": "2023-09-29T17:38:04.048Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:38:04.048Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d.json b/ics-attack/relationship/relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d.json index 3e4c5f8ead..edcf53bb88 100644 --- a/ics-attack/relationship/relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d.json +++ b/ics-attack/relationship/relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--497f889c-3e1d-474a-b36e-210dd6441374", + "id": "bundle--85e7a56e-c39b-438d-a72a-104dbbe997ec", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91.json b/ics-attack/relationship/relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91.json new file mode 100644 index 0000000000..90b0871412 --- /dev/null +++ b/ics-attack/relationship/relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--39b8a719-8d4f-4a5e-b2db-e849ee509d5d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0b2a6fc5-3416-4d78-96cb-f6325c91ab91", + "created": "2023-10-02T20:23:11.865Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:23:11.865Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42.json b/ics-attack/relationship/relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42.json new file mode 100644 index 0000000000..c632e9a6d4 --- /dev/null +++ b/ics-attack/relationship/relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--dba8d63e-73c7-4519-b200-145a44f8e115", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0b2d0517-9943-413e-a6f9-30c6d5ce8c42", + "created": "2023-09-28T19:59:10.561Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:59:10.561Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f.json b/ics-attack/relationship/relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f.json new file mode 100644 index 0000000000..c01969b871 --- /dev/null +++ b/ics-attack/relationship/relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8c9f4564-ee8d-44cd-8711-3cd8915180b8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0b6cd19f-ee13-4224-9e22-f8a9e626d98f", + "created": "2023-09-28T21:22:48.239Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:22:48.239Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0b7f643e-8975-4998-acbb-7405fa944a68.json b/ics-attack/relationship/relationship--0b7f643e-8975-4998-acbb-7405fa944a68.json index c399abda65..37a56d99df 100644 --- a/ics-attack/relationship/relationship--0b7f643e-8975-4998-acbb-7405fa944a68.json +++ b/ics-attack/relationship/relationship--0b7f643e-8975-4998-acbb-7405fa944a68.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2f5bf0b7-e8b8-4657-8eac-a98e7d79a2d8", + "id": "bundle--6a4ae8ec-8879-4d93-8de4-8e3db32972a5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b.json b/ics-attack/relationship/relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b.json new file mode 100644 index 0000000000..69fedf3600 --- /dev/null +++ b/ics-attack/relationship/relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e45c64a2-accf-4792-8e9e-99470fefbd0c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0ba1db3a-389a-4937-975b-d2dc0142cb4b", + "created": "2023-09-29T18:46:22.739Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:46:22.739Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016.json b/ics-attack/relationship/relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016.json new file mode 100644 index 0000000000..02666f2a81 --- /dev/null +++ b/ics-attack/relationship/relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--641363a3-41d7-4b9f-8f19-288327184545", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0bc90405-24a9-4f84-a1bb-bf953dbca016", + "created": "2023-09-28T20:10:34.479Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:10:34.479Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json b/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json index 8f0ad87b76..aad7b96e5c 100644 --- a/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json +++ b/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c39ce600-df27-4271-ac80-3c5454c730a1", + "id": "bundle--b3c3fb53-3481-49da-84fe-ff6eb4aa1a74", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json b/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json index fa53ecae32..692fc78af5 100644 --- a/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json +++ b/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6b74b035-bc85-4b82-91e3-aceb2c225630", + "id": "bundle--01bf6501-62d1-4994-95cc-d851af252d49", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json b/ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json index 2b063bf75f..7dbe4583a9 100644 --- a/ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json +++ b/ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--76471a1a-c9c7-4b78-a646-5604cd7e0068", + "id": "bundle--a952277a-d2fc-4d75-829e-c392e28699ba", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a.json b/ics-attack/relationship/relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a.json index 6a7568cb49..4fa7e78ed6 100644 --- a/ics-attack/relationship/relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a.json +++ b/ics-attack/relationship/relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b843a98a-0981-4341-9010-ac2667be9d75", + "id": "bundle--27c274fa-8d38-4cd9-837d-54ac1eb49f6b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0c72593d-fcc6-4023-8771-bed5e243310e.json b/ics-attack/relationship/relationship--0c72593d-fcc6-4023-8771-bed5e243310e.json new file mode 100644 index 0000000000..7683137397 --- /dev/null +++ b/ics-attack/relationship/relationship--0c72593d-fcc6-4023-8771-bed5e243310e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d98057a9-89a0-49b9-ab0b-e29c1c59f830", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0c72593d-fcc6-4023-8771-bed5e243310e", + "created": "2023-09-28T21:24:37.417Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:24:37.417Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json b/ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json index 7c504416f2..0cb71ebd22 100644 --- a/ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json +++ b/ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8cc41a5f-a1b9-4e71-a0fc-5bf670177701", + "id": "bundle--5f7bb8f6-8cf0-4811-bdb3-abb3dab60060", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8.json b/ics-attack/relationship/relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8.json new file mode 100644 index 0000000000..0a52f1a3c5 --- /dev/null +++ b/ics-attack/relationship/relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--2582325e-407c-422b-bde3-916735d03eb7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0cab29c6-d196-47b0-8621-10ac3c8a95d8", + "created": "2023-09-28T19:51:27.775Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:51:27.775Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0d305450-d5ca-46fe-8583-36c983dd0a88.json b/ics-attack/relationship/relationship--0d305450-d5ca-46fe-8583-36c983dd0a88.json index 132fcd6bdc..08374ce1fd 100644 --- a/ics-attack/relationship/relationship--0d305450-d5ca-46fe-8583-36c983dd0a88.json +++ b/ics-attack/relationship/relationship--0d305450-d5ca-46fe-8583-36c983dd0a88.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bd6c1d55-2ec8-451e-a9c5-83f9e6368d0e", + "id": "bundle--32c43444-1306-4061-b4b2-1b90568826a8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json b/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json index b69a07fed7..44ef81c079 100644 --- a/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json +++ b/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--446995be-f7e4-4d09-9012-3fa218855386", + "id": "bundle--cd45ab4e-2481-43f7-9dd8-1f901566f588", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0d52eea3-394e-492b-944b-9ccb6348329d.json b/ics-attack/relationship/relationship--0d52eea3-394e-492b-944b-9ccb6348329d.json new file mode 100644 index 0000000000..0d6286c87e --- /dev/null +++ b/ics-attack/relationship/relationship--0d52eea3-394e-492b-944b-9ccb6348329d.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e293fe3a-8148-4d90-8440-f2b8974b529a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0d52eea3-394e-492b-944b-9ccb6348329d", + "created": "2023-09-28T21:14:41.633Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:14:41.633Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0d540b53-6a5d-4f56-9dee-47707443b149.json b/ics-attack/relationship/relationship--0d540b53-6a5d-4f56-9dee-47707443b149.json index 6fc2474ad8..8899ab29d9 100644 --- a/ics-attack/relationship/relationship--0d540b53-6a5d-4f56-9dee-47707443b149.json +++ b/ics-attack/relationship/relationship--0d540b53-6a5d-4f56-9dee-47707443b149.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3e1707d1-792b-4529-92ba-64dbdecdf633", + "id": "bundle--42dfb3c6-9302-4b95-856f-a7afeb96d4d2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0d8e0324-ba8e-4712-a123-60377afe94da.json b/ics-attack/relationship/relationship--0d8e0324-ba8e-4712-a123-60377afe94da.json new file mode 100644 index 0000000000..c5eb71f388 --- /dev/null +++ b/ics-attack/relationship/relationship--0d8e0324-ba8e-4712-a123-60377afe94da.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d26b262c-cc82-48a4-bc16-24030fb8a525", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0d8e0324-ba8e-4712-a123-60377afe94da", + "created": "2023-09-29T18:48:17.073Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:48:17.073Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136.json b/ics-attack/relationship/relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136.json new file mode 100644 index 0000000000..39d2e59128 --- /dev/null +++ b/ics-attack/relationship/relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--72000af4-a60c-4890-bca0-a8c8600f82f4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0dbf48f3-4579-4ca2-aceb-19d3e0449136", + "created": "2023-09-29T17:57:12.010Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:57:12.010Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc.json b/ics-attack/relationship/relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc.json index d3b96d8c0f..a0eb4008b4 100644 --- a/ics-attack/relationship/relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc.json +++ b/ics-attack/relationship/relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3727bd3f-801c-4961-bbe1-f630fdcba225", + "id": "bundle--62c07113-d736-4326-a64a-17e6b42b4b26", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json b/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json index 7d8f6efc8d..ff1100a9d9 100644 --- a/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json +++ b/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--82b72886-9aac-4f86-bb29-e0c077cc3f34", + "id": "bundle--7ecba36a-a421-4e9b-ad66-755457e79a5c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954.json b/ics-attack/relationship/relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954.json new file mode 100644 index 0000000000..edcc424cdb --- /dev/null +++ b/ics-attack/relationship/relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--273d8584-f4af-49aa-b3f4-efb71f3a8369", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0e263b73-a033-4fac-9d6d-076ab8f8b954", + "created": "2023-09-29T16:27:50.949Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:27:50.949Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0e275c19-7688-47f8-8cd5-85eaacec465b.json b/ics-attack/relationship/relationship--0e275c19-7688-47f8-8cd5-85eaacec465b.json index 43a1af0944..4cc29579b1 100644 --- a/ics-attack/relationship/relationship--0e275c19-7688-47f8-8cd5-85eaacec465b.json +++ b/ics-attack/relationship/relationship--0e275c19-7688-47f8-8cd5-85eaacec465b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--187cf899-c568-4d19-893f-ba07e72ba4e5", + "id": "bundle--5c48d010-eb5a-4901-9943-053e49d8077e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json b/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json index 4d27e2852b..1f4e84fa85 100644 --- a/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json +++ b/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1136b512-c87a-4db5-9064-4d49b3873b96", + "id": "bundle--5a1634bf-6a3c-4e0d-ae71-e4a93a966396", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json b/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json index efaae62d73..01f85ee7f9 100644 --- a/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json +++ b/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a44425d5-051b-4687-bd67-26156d532e38", + "id": "bundle--02546de9-4b1b-4e52-b1bd-6de96dee9e3b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json b/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json index 7223064cad..cb9cfcaafd 100644 --- a/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json +++ b/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7ff135ab-7a89-4dc7-b21c-9822246eed0e", + "id": "bundle--6788ce12-ce75-4a29-bc1d-eea27be02427", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29.json b/ics-attack/relationship/relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29.json new file mode 100644 index 0000000000..393d07231d --- /dev/null +++ b/ics-attack/relationship/relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--5d8f3dae-eaa8-40d7-9b29-59493f7fa44c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0ef1e408-8ebb-4b28-b619-02914b7bae29", + "created": "2023-09-29T17:57:34.378Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:57:34.378Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json b/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json index 40a4a9c226..e5f35626ae 100644 --- a/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json +++ b/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a97c0772-126c-4632-a1c6-eb243efbda51", + "id": "bundle--0ccb2dda-e6ee-4a78-b0f3-b015370805d8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0f5295ce-d705-4541-8dda-c569b126d103.json b/ics-attack/relationship/relationship--0f5295ce-d705-4541-8dda-c569b126d103.json new file mode 100644 index 0000000000..70b2b839a5 --- /dev/null +++ b/ics-attack/relationship/relationship--0f5295ce-d705-4541-8dda-c569b126d103.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8e09f82b-2a8a-43f0-ac4b-64f46e7e229a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0f5295ce-d705-4541-8dda-c569b126d103", + "created": "2023-10-02T20:24:03.723Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:24:03.723Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72.json b/ics-attack/relationship/relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72.json new file mode 100644 index 0000000000..c6c5b55ed4 --- /dev/null +++ b/ics-attack/relationship/relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--da63e5df-7652-4c70-a59a-df093f7723ce", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--0f5710a7-f015-40b8-ad3d-f281699f2b72", + "created": "2023-09-29T17:09:11.210Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:09:11.210Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json b/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json index 3637bb1073..e7621f2368 100644 --- a/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json +++ b/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ddc7ecab-bedc-4620-a9f5-0602cb6eccb5", + "id": "bundle--ae9ca8c4-a52d-4fb3-bf86-4f3bf2d9b04f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json b/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json index fc85ee9462..e03a0f7d17 100644 --- a/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json +++ b/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--865a3da6-f6f2-4e58-b7c8-3624b7563072", + "id": "bundle--e38c591e-c80e-4da1-a4f0-84df9f0e6149", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json b/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json index 6a89c4dabb..4ff91df4c3 100644 --- a/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json +++ b/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e6d88503-cddd-4191-8f43-e6857fa66b4c", + "id": "bundle--17119f3b-2935-46a9-a449-47a11eabe8c4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json b/ics-attack/relationship/relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json index dac982ca69..52c6b54b6f 100644 --- a/ics-attack/relationship/relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json +++ b/ics-attack/relationship/relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e1b1b7ca-7a91-461d-ae5d-91d8b5d456c0", + "id": "bundle--c86769be-6a5b-4c89-9665-822a2f11e7f7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json b/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json index d4d5c925ce..ff64b9a43c 100644 --- a/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json +++ b/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a563d843-f2ad-4cf0-ae33-12465503f7ed", + "id": "bundle--c911e1ad-4b0a-4760-8966-e7c543257548", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--106530e1-375a-4ac4-befb-8297b3b05610.json b/ics-attack/relationship/relationship--106530e1-375a-4ac4-befb-8297b3b05610.json new file mode 100644 index 0000000000..045fb454f5 --- /dev/null +++ b/ics-attack/relationship/relationship--106530e1-375a-4ac4-befb-8297b3b05610.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3b82f819-ca45-4660-a326-a749957e73d9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--106530e1-375a-4ac4-befb-8297b3b05610", + "created": "2023-09-29T18:55:58.199Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:55:58.199Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json b/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json index c9e0af2508..569ce3a633 100644 --- a/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json +++ b/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--20ef456c-f89d-4a58-aa62-4c21fdc5659e", + "id": "bundle--da5524be-6d04-4d6f-929a-6423aee1b80a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5.json b/ics-attack/relationship/relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5.json deleted file mode 100644 index ef2a210160..0000000000 --- a/ics-attack/relationship/relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--cb112fa2-e3fb-44f7-b5aa-949c0959e942", - "spec_version": "2.0", - "objects": [ - { - "type": "relationship", - "id": "relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020", - "description": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA 2020, October 15 Indictment: Conspiracy to Commit an Offense Against the United States Retrieved. 2021/04/07 ", - "url": "https://www.justice.gov/opa/press-release/file/1328521/download" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:53:50.448Z", - "description": "In the Ukraine 2015 incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) sent spearphishing attachments to three energy distribution companies containing malware to gain access to victim systems. (Citation: UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - } - ] -} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--10e87e4b-a231-42e3-a011-0031f8226936.json b/ics-attack/relationship/relationship--10e87e4b-a231-42e3-a011-0031f8226936.json index d85151cd92..5a5ddc0048 100644 --- a/ics-attack/relationship/relationship--10e87e4b-a231-42e3-a011-0031f8226936.json +++ b/ics-attack/relationship/relationship--10e87e4b-a231-42e3-a011-0031f8226936.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--00e3dc40-34fb-459d-b620-14e4578ad00c", + "id": "bundle--92d422bf-9948-455d-bd7e-ccdf82a4706d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b.json b/ics-attack/relationship/relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b.json index 47cd60a255..b39fe3cc78 100644 --- a/ics-attack/relationship/relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b.json +++ b/ics-attack/relationship/relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0f65c7c2-9297-495e-96e4-c8af77047efa", + "id": "bundle--c13a6326-0773-4017-99e8-9196ecde1e8a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json b/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json index e0b1f0eb29..d83bb011b7 100644 --- a/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json +++ b/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ab60f407-cf6f-40cb-821d-b6d4946d1ca4", + "id": "bundle--a570e7c5-0e05-4d53-b302-423116e63808", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--11840b30-f0d1-4df5-a960-cdb80749c32a.json b/ics-attack/relationship/relationship--11840b30-f0d1-4df5-a960-cdb80749c32a.json new file mode 100644 index 0000000000..7538205230 --- /dev/null +++ b/ics-attack/relationship/relationship--11840b30-f0d1-4df5-a960-cdb80749c32a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--7c8181a8-394d-445d-97bd-200453305257", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--11840b30-f0d1-4df5-a960-cdb80749c32a", + "created": "2023-09-29T17:07:25.209Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:07:25.209Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--11a82651-4d69-4738-89c6-17d0243cbbb0.json b/ics-attack/relationship/relationship--11a82651-4d69-4738-89c6-17d0243cbbb0.json new file mode 100644 index 0000000000..34a18d1e83 --- /dev/null +++ b/ics-attack/relationship/relationship--11a82651-4d69-4738-89c6-17d0243cbbb0.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--30b5481e-5e47-46db-8cd3-be0cf979caf4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--11a82651-4d69-4738-89c6-17d0243cbbb0", + "created": "2023-09-29T17:37:26.536Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:37:26.536Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3.json b/ics-attack/relationship/relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3.json index 986a4306c6..ae11855617 100644 --- a/ics-attack/relationship/relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3.json +++ b/ics-attack/relationship/relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--69423f15-2d3f-42cc-8232-fd18a22bc1c2", + "id": "bundle--3025e4b3-6a28-4986-90cd-0242790985af", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json b/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json index 2060e94463..adca2db3cb 100644 --- a/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json +++ b/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--90dde535-1f13-461a-a6e3-cddc6b453c1b", + "id": "bundle--91b6c346-3a61-4c37-a6a0-1bbef04317aa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--128de3f9-df58-4122-9523-0ac65a6ebf71.json b/ics-attack/relationship/relationship--128de3f9-df58-4122-9523-0ac65a6ebf71.json new file mode 100644 index 0000000000..fc7e190ec0 --- /dev/null +++ b/ics-attack/relationship/relationship--128de3f9-df58-4122-9523-0ac65a6ebf71.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--bcf72486-3709-456f-87d3-58f1d3ee98bf", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--128de3f9-df58-4122-9523-0ac65a6ebf71", + "created": "2023-09-29T17:45:20.237Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:45:20.237Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79.json b/ics-attack/relationship/relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79.json index bccf98a4e3..a29eea1056 100644 --- a/ics-attack/relationship/relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79.json +++ b/ics-attack/relationship/relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dc51052f-166e-472d-9f79-c738c8f1f69b", + "id": "bundle--e7ad3829-5a3f-4da9-9ca4-64c5fffd1e6b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693.json b/ics-attack/relationship/relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693.json index e21e0d3a93..48494a46a9 100644 --- a/ics-attack/relationship/relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693.json +++ b/ics-attack/relationship/relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dc002ab0-71af-4278-8fc0-5f2dbc8eedc5", + "id": "bundle--e77cb02e-1a9b-4b2a-9662-e0860dc58e40", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json b/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json index f0c2f12524..f9ce6a761e 100644 --- a/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json +++ b/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ac5181ef-95a6-4248-8b4b-a691581729da", + "id": "bundle--236934a9-880a-4b31-b2ff-2fe71c287497", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4.json b/ics-attack/relationship/relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4.json new file mode 100644 index 0000000000..8ea3b52c12 --- /dev/null +++ b/ics-attack/relationship/relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--38210525-3b81-483d-9a00-151ab422d674", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--12d6fc4f-bf06-4146-a387-4cb86f0f44a4", + "created": "2023-09-28T21:13:23.057Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:13:23.057Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36.json b/ics-attack/relationship/relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36.json new file mode 100644 index 0000000000..b663e93d97 --- /dev/null +++ b/ics-attack/relationship/relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--39a530cc-2a7a-4946-bfe9-b7d62ddb0110", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--12fdacea-28f7-4113-ae67-0b19e1ab5e36", + "created": "2023-09-28T19:39:58.335Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:39:58.335Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f.json b/ics-attack/relationship/relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f.json index 7238475898..54e00d4e7a 100644 --- a/ics-attack/relationship/relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f.json +++ b/ics-attack/relationship/relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--37ebd044-1701-494c-adb8-e0e9e8568623", + "id": "bundle--76e2327f-b21a-4c45-8bce-5b86869d67a4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json b/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json index 0da0167d5c..5bdcc8f982 100644 --- a/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json +++ b/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0ace630c-8e74-4a17-b09d-a7292ad32e1f", + "id": "bundle--a2695d92-266e-44f1-b0e3-c6fe78ed2bff", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json b/ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json index e5adfab40a..0762f38007 100644 --- a/ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json +++ b/ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6cae3edc-133c-4640-9db8-536f8bc546b1", + "id": "bundle--f1ea7923-f481-4e75-addf-718cad337b5a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--13d76624-7049-45c5-94d3-8f172b7f6336.json b/ics-attack/relationship/relationship--13d76624-7049-45c5-94d3-8f172b7f6336.json new file mode 100644 index 0000000000..ed1ea9b37c --- /dev/null +++ b/ics-attack/relationship/relationship--13d76624-7049-45c5-94d3-8f172b7f6336.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--e579a390-be24-4474-8a7f-60d1e4d77278", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--13d76624-7049-45c5-94d3-8f172b7f6336", + "created": "2023-09-27T14:48:58.922Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-27T15:18:18.595Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) established an internal proxy prior to the installation of backdoors within the network. (Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52.json b/ics-attack/relationship/relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52.json index e873cd7521..87602eff73 100644 --- a/ics-attack/relationship/relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52.json +++ b/ics-attack/relationship/relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d12cf3c9-f24a-4639-b28b-c3bb4a9af9b5", + "id": "bundle--37aa6c36-9986-4dbb-8fa6-89ed6f859b2b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6.json b/ics-attack/relationship/relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6.json new file mode 100644 index 0000000000..4c5c2124d7 --- /dev/null +++ b/ics-attack/relationship/relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d195105b-4bf6-497d-86e9-31093cf79878", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1429cd78-4e2a-4898-a7d8-d01a0c465bd6", + "created": "2023-10-02T20:24:12.666Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:24:12.666Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc.json b/ics-attack/relationship/relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc.json new file mode 100644 index 0000000000..ee81ff44a7 --- /dev/null +++ b/ics-attack/relationship/relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1213d2f4-9fb1-4a81-bf5c-5eee918ff1fb", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--144f6ce7-d2b2-4a76-85d2-251191a0d2cc", + "created": "2023-09-29T16:32:33.078Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:32:33.078Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json b/ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json index 461a106805..d5fbd0a2e0 100644 --- a/ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json +++ b/ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e22bd03f-bb98-410a-a19b-53a198a95bff", + "id": "bundle--ef888cc0-a5fb-45c4-8428-3f141c9e6f43", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495.json b/ics-attack/relationship/relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495.json new file mode 100644 index 0000000000..ba68f76299 --- /dev/null +++ b/ics-attack/relationship/relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c1176cde-a71e-48f6-9c8b-15e4769328ca", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--14c73603-a6d2-4a8d-9904-0f8249aaa495", + "created": "2023-09-29T16:40:06.079Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:40:06.079Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--15188683-7ded-4578-9102-73459ecbe095.json b/ics-attack/relationship/relationship--15188683-7ded-4578-9102-73459ecbe095.json index 5aef6fe427..a35a7b1b50 100644 --- a/ics-attack/relationship/relationship--15188683-7ded-4578-9102-73459ecbe095.json +++ b/ics-attack/relationship/relationship--15188683-7ded-4578-9102-73459ecbe095.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8228b3ca-dd81-41f6-998e-7f23bc6f61cd", + "id": "bundle--98ba1dc2-1e4b-42fc-895d-8668a5f6f2a1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a.json b/ics-attack/relationship/relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a.json new file mode 100644 index 0000000000..f1fc4b48a0 --- /dev/null +++ b/ics-attack/relationship/relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--575346cd-24a3-4102-ad8c-94f95123048b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--15377914-bf08-4c7e-ab00-1e272e2f3c1a", + "created": "2023-09-28T19:47:25.303Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:47:25.303Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--154de746-5ea2-43b4-97b2-221b2433cbde.json b/ics-attack/relationship/relationship--154de746-5ea2-43b4-97b2-221b2433cbde.json index c23d9151a5..0983be9fa1 100644 --- a/ics-attack/relationship/relationship--154de746-5ea2-43b4-97b2-221b2433cbde.json +++ b/ics-attack/relationship/relationship--154de746-5ea2-43b4-97b2-221b2433cbde.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--34102d90-ed05-438c-8af1-bb3bda7bcbbc", + "id": "bundle--ed8ffc2a-71b6-4fe5-b609-b828a3e60c4f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--159fb736-ba92-4564-aa6d-db6f64497763.json b/ics-attack/relationship/relationship--159fb736-ba92-4564-aa6d-db6f64497763.json new file mode 100644 index 0000000000..90cf9b2100 --- /dev/null +++ b/ics-attack/relationship/relationship--159fb736-ba92-4564-aa6d-db6f64497763.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3be2304a-7aee-46ed-9ee6-b1a3d87440d7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--159fb736-ba92-4564-aa6d-db6f64497763", + "created": "2023-09-28T20:25:59.717Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:25:59.717Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--15a39e3b-124e-4e68-95b5-7b8020225c12.json b/ics-attack/relationship/relationship--15a39e3b-124e-4e68-95b5-7b8020225c12.json index 82cdaf1934..89a829a146 100644 --- a/ics-attack/relationship/relationship--15a39e3b-124e-4e68-95b5-7b8020225c12.json +++ b/ics-attack/relationship/relationship--15a39e3b-124e-4e68-95b5-7b8020225c12.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--51f1b0bd-4c85-43c3-8743-b4bd17252ba6", + "id": "bundle--1b889708-949b-4373-a2dc-3fc4d6901128", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b.json b/ics-attack/relationship/relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b.json new file mode 100644 index 0000000000..977bae8e12 --- /dev/null +++ b/ics-attack/relationship/relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--fa50d716-5e3f-45c3-a1fd-696ccb0c097c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--16ac0172-02d1-4fda-99c0-61f1cef7dc4b", + "created": "2023-09-28T20:06:03.889Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:06:03.889Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4.json b/ics-attack/relationship/relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4.json new file mode 100644 index 0000000000..a8bf744113 --- /dev/null +++ b/ics-attack/relationship/relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1401c53d-ea51-428f-afc6-0cea8e69694d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--16b74b29-e3b3-49ff-9ff4-cd7ade0f8ff4", + "created": "2023-09-29T18:48:52.853Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:48:52.853Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d.json b/ics-attack/relationship/relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d.json index afbce04c28..f8ef707cd6 100644 --- a/ics-attack/relationship/relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d.json +++ b/ics-attack/relationship/relationship--172e0537-7a9c-4610-9b07-32a841f0bd8d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--54aa4eb2-5f10-4555-b4c5-5a20a601e5d3", + "id": "bundle--8b2a77eb-8e37-4139-8f92-0f2c8480f1ab", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749.json b/ics-attack/relationship/relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749.json new file mode 100644 index 0000000000..d9ba3ca76d --- /dev/null +++ b/ics-attack/relationship/relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--eab63390-2234-430d-a3df-6cb4bc804d6b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1736df4d-188e-4a44-a8b3-6c6cd71dc749", + "created": "2023-09-29T17:05:30.498Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:05:30.498Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json b/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json index ab3becb974..3c7c940d8c 100644 --- a/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json +++ b/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--60fdf5a9-be77-4b23-92e8-e41a283a72c6", + "id": "bundle--5bc6f812-f1f5-4d7e-9d1f-17cbb8021d82", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa.json b/ics-attack/relationship/relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa.json new file mode 100644 index 0000000000..40079590ff --- /dev/null +++ b/ics-attack/relationship/relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8e6b1b97-28be-4e96-ad4c-4262446c6d9b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--17d5794d-dcd5-4e0f-87e4-87d41c24b5fa", + "created": "2023-10-02T20:18:01.546Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:18:01.546Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab.json b/ics-attack/relationship/relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab.json new file mode 100644 index 0000000000..685d1f246a --- /dev/null +++ b/ics-attack/relationship/relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8909606b-984f-4128-80a5-2d0f3cdd5ff0", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--17fd7ffd-63d9-4e1e-8b19-38095b2d65ab", + "created": "2023-09-29T17:45:45.485Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:45:45.485Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json b/ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json index 738e9573c9..b03f45e432 100644 --- a/ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json +++ b/ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6876f50a-c39a-4745-9c2d-e714e912d3bd", + "id": "bundle--6d634395-eeb2-4749-b8a8-1b927808f5d5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1865830b-511d-4302-99f7-6143647a8e40.json b/ics-attack/relationship/relationship--1865830b-511d-4302-99f7-6143647a8e40.json new file mode 100644 index 0000000000..a19691b5a6 --- /dev/null +++ b/ics-attack/relationship/relationship--1865830b-511d-4302-99f7-6143647a8e40.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c1ee6d6b-d2d6-4dff-b636-a89754f41e8c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1865830b-511d-4302-99f7-6143647a8e40", + "created": "2023-10-02T20:23:52.339Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:23:52.339Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--18af193c-160a-4cae-9078-4d69de5c2347.json b/ics-attack/relationship/relationship--18af193c-160a-4cae-9078-4d69de5c2347.json new file mode 100644 index 0000000000..cfcae55b1c --- /dev/null +++ b/ics-attack/relationship/relationship--18af193c-160a-4cae-9078-4d69de5c2347.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f2a34a3e-5d9b-4b41-8834-543cc511ce09", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--18af193c-160a-4cae-9078-4d69de5c2347", + "created": "2023-09-29T18:56:21.340Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:56:21.340Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75.json b/ics-attack/relationship/relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75.json new file mode 100644 index 0000000000..1604272d36 --- /dev/null +++ b/ics-attack/relationship/relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--09e345e7-93d8-4e22-9fbd-b23f51a28e2d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--18cdfacf-4eba-4049-b85f-d1cab5106c75", + "created": "2023-09-29T18:02:01.822Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:02:01.822Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json b/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json index a01d66cc3f..d16c400fb2 100644 --- a/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json +++ b/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5de0612c-ed06-41c2-8498-8df4edc35ddc", + "id": "bundle--21fe3b03-0bcc-48cb-9141-3b15545c4bbb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--193c3cd3-0b22-4839-a1fa-413aee61e882.json b/ics-attack/relationship/relationship--193c3cd3-0b22-4839-a1fa-413aee61e882.json index d0cdbd27ef..a4a84d5f24 100644 --- a/ics-attack/relationship/relationship--193c3cd3-0b22-4839-a1fa-413aee61e882.json +++ b/ics-attack/relationship/relationship--193c3cd3-0b22-4839-a1fa-413aee61e882.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a4abda3f-c184-4ec3-8917-ab1ce4488216", + "id": "bundle--470e9a39-00a5-47a8-87ff-f8d42dc7306a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json b/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json index 91efe8700c..dec27df510 100644 --- a/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json +++ b/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b54623a8-17bb-4f74-a58e-3f9c70498b7a", + "id": "bundle--e1e48d66-4585-4925-b0dd-96d5cde2db2f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json b/ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json index 434a1770a8..475bb9b466 100644 --- a/ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json +++ b/ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--16fbe2e3-8646-420c-84c8-304b2b19d6df", + "id": "bundle--8c245f4f-2225-4177-9f33-efe2ddf9ac9a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c.json b/ics-attack/relationship/relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c.json new file mode 100644 index 0000000000..2c4fad716d --- /dev/null +++ b/ics-attack/relationship/relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c041936d-05c8-4117-a47a-00ab2e0ddb5b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--19df16da-8247-45ef-be13-ba58b1fb9c1c", + "created": "2023-09-28T20:11:23.956Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:11:23.956Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826.json b/ics-attack/relationship/relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826.json new file mode 100644 index 0000000000..c1f88f7265 --- /dev/null +++ b/ics-attack/relationship/relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1a6f7c94-e566-4256-ac51-f6549ca44b2f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--19e9b914-3cb9-430c-ae02-f8e93fc2d826", + "created": "2023-09-28T21:13:49.529Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:13:49.529Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0.json b/ics-attack/relationship/relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0.json new file mode 100644 index 0000000000..95d5d1a779 --- /dev/null +++ b/ics-attack/relationship/relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--bafd1dd9-1533-44e2-bb89-d26125d1dbfe", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1a3ecee5-0237-4e01-8f02-90092c15a2f0", + "created": "2023-10-02T20:18:45.122Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:18:45.122Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json b/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json index a5bc9f6638..6baee9a22d 100644 --- a/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json +++ b/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--71fb326d-622c-4b5d-97c5-6d0cbfcbed54", + "id": "bundle--10a439d4-98ff-4f9c-ab49-038d2273fe26", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1a900ac4-c150-4b57-a899-990854b01d4b.json b/ics-attack/relationship/relationship--1a900ac4-c150-4b57-a899-990854b01d4b.json new file mode 100644 index 0000000000..15db418d2e --- /dev/null +++ b/ics-attack/relationship/relationship--1a900ac4-c150-4b57-a899-990854b01d4b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1fd0ff24-936f-4710-913f-80cb914fee2e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1a900ac4-c150-4b57-a899-990854b01d4b", + "created": "2023-09-29T16:33:50.423Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:33:50.423Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356.json b/ics-attack/relationship/relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356.json new file mode 100644 index 0000000000..ed2f03c88c --- /dev/null +++ b/ics-attack/relationship/relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f6b6d3af-8c6c-4c8f-8ba6-298d329032c3", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1a96ad0d-84df-4b6b-ba4c-8559de5ec356", + "created": "2023-09-29T18:57:45.950Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:57:45.950Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d.json b/ics-attack/relationship/relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d.json new file mode 100644 index 0000000000..7bcc900a37 --- /dev/null +++ b/ics-attack/relationship/relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--51c4f36f-8992-450a-ad7a-889423399f3e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1a9ca148-a456-4b66-805f-a2bdfc7a947d", + "created": "2023-09-28T20:09:21.736Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:09:21.736Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json b/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json index aea67f7265..40869e3978 100644 --- a/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json +++ b/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a7d96f1c-eefe-4e2e-8449-a4fc68c5bfa6", + "id": "bundle--65a669fa-dcb3-4aa4-bcc1-3c0645ed9ed6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1acccbe8-64e1-49ad-87df-215d5c87f050.json b/ics-attack/relationship/relationship--1acccbe8-64e1-49ad-87df-215d5c87f050.json index 15e336fdd6..cac3bfa10c 100644 --- a/ics-attack/relationship/relationship--1acccbe8-64e1-49ad-87df-215d5c87f050.json +++ b/ics-attack/relationship/relationship--1acccbe8-64e1-49ad-87df-215d5c87f050.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cb0c9fe9-1593-428b-a538-bad4c2ed03f6", + "id": "bundle--a44f8b70-9304-4f20-b6fe-d29f5f1433c3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185.json b/ics-attack/relationship/relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185.json new file mode 100644 index 0000000000..2ca2755910 --- /dev/null +++ b/ics-attack/relationship/relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--30a9b28c-14f0-4010-b3d0-291dab576d61", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1af5c5bb-0d97-4c0a-9174-4dee1ff8b185", + "created": "2023-09-29T18:01:06.725Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:01:06.725Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5.json b/ics-attack/relationship/relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5.json new file mode 100644 index 0000000000..0f85bbeba0 --- /dev/null +++ b/ics-attack/relationship/relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--6870379a-68bc-456e-a142-933ee0dcea35", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1b94c927-0445-4ed8-80f1-7b31418f60b5", + "created": "2023-09-29T17:43:41.332Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:43:41.332Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b.json b/ics-attack/relationship/relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b.json new file mode 100644 index 0000000000..3dbebb8663 --- /dev/null +++ b/ics-attack/relationship/relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1dcfcde7-8f19-4206-b40c-d0e4119a95c0", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1ba485c9-951e-4e07-8e69-1d0efc372f6b", + "created": "2023-09-29T16:41:44.745Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:41:44.745Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738.json b/ics-attack/relationship/relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738.json new file mode 100644 index 0000000000..f68dd6975f --- /dev/null +++ b/ics-attack/relationship/relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f1b07e2c-3e58-4148-bef3-3e092ae9b36a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1bea0610-432c-4cd7-8e0e-8b7bbd09d738", + "created": "2023-09-29T18:00:32.581Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:00:32.581Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0.json b/ics-attack/relationship/relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0.json index e8fb2beefa..b7cfb09682 100644 --- a/ics-attack/relationship/relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0.json +++ b/ics-attack/relationship/relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b6e24e47-8a68-4785-89ff-a99099d784fa", + "id": "bundle--0cdd9338-96c7-4763-a516-32c088615168", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1c3d966a-5995-48ed-919d-25b972010fe9.json b/ics-attack/relationship/relationship--1c3d966a-5995-48ed-919d-25b972010fe9.json index f9e6334c52..8512372051 100644 --- a/ics-attack/relationship/relationship--1c3d966a-5995-48ed-919d-25b972010fe9.json +++ b/ics-attack/relationship/relationship--1c3d966a-5995-48ed-919d-25b972010fe9.json @@ -1,21 +1,14 @@ { "type": "bundle", - "id": "bundle--dce33d5b-adac-4236-9ad7-825baceb62b2", + "id": "bundle--f3ee4f6b-0eb5-435b-9f46-5cbdc28cdfd5", "spec_version": "2.0", "objects": [ { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", "id": "relationship--1c3d966a-5995-48ed-919d-25b972010fe9", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.180Z", - "relationship_type": "mitigates", - "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "IEC February 2019", @@ -23,9 +16,18 @@ "url": "https://webstore.iec.ch/publication/34421" } ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:37:12.017Z", + "description": "Provide the ability to verify the integrity of programs downloaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1c7df4f1-cee5-42c6-a974-29552552666f.json b/ics-attack/relationship/relationship--1c7df4f1-cee5-42c6-a974-29552552666f.json new file mode 100644 index 0000000000..06b7daa05c --- /dev/null +++ b/ics-attack/relationship/relationship--1c7df4f1-cee5-42c6-a974-29552552666f.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d821c2e8-88f1-4082-a7b9-a4ce40d0d0f7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1c7df4f1-cee5-42c6-a974-29552552666f", + "created": "2023-09-28T19:47:08.952Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:47:08.952Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1c831708-28c2-47ae-a158-39f1f7b73406.json b/ics-attack/relationship/relationship--1c831708-28c2-47ae-a158-39f1f7b73406.json index 612874005b..48ed3986dd 100644 --- a/ics-attack/relationship/relationship--1c831708-28c2-47ae-a158-39f1f7b73406.json +++ b/ics-attack/relationship/relationship--1c831708-28c2-47ae-a158-39f1f7b73406.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3f0adc4a-28ab-4072-aaed-2a3821d1ff80", + "id": "bundle--e340ce63-8619-49dd-8958-709f465b69cd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081.json b/ics-attack/relationship/relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081.json new file mode 100644 index 0000000000..a99c25c5d7 --- /dev/null +++ b/ics-attack/relationship/relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--2ee11306-bbbd-4c4c-b867-b016eb17e6b5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1cf89a8b-c0f6-4ffb-ae39-36e2a9d3b081", + "created": "2023-09-29T18:46:12.052Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:46:12.052Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1d35c947-447f-4693-9ab0-32dff56e664e.json b/ics-attack/relationship/relationship--1d35c947-447f-4693-9ab0-32dff56e664e.json index b40d030053..f72c91aea0 100644 --- a/ics-attack/relationship/relationship--1d35c947-447f-4693-9ab0-32dff56e664e.json +++ b/ics-attack/relationship/relationship--1d35c947-447f-4693-9ab0-32dff56e664e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f38075a5-a43e-4ae2-94ef-470e1615a3f8", + "id": "bundle--e48ddf4c-2665-46da-86a8-2ae69b863274", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1d399f67-090e-444b-b75d-eed4b1780f08.json b/ics-attack/relationship/relationship--1d399f67-090e-444b-b75d-eed4b1780f08.json index d30dd45471..761c1c2e0b 100644 --- a/ics-attack/relationship/relationship--1d399f67-090e-444b-b75d-eed4b1780f08.json +++ b/ics-attack/relationship/relationship--1d399f67-090e-444b-b75d-eed4b1780f08.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--95308345-2961-44b2-8c9f-65efc915f90c", + "id": "bundle--89eca6c6-1a81-4862-8de9-928f1d036399", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653.json b/ics-attack/relationship/relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653.json new file mode 100644 index 0000000000..39edad7c4b --- /dev/null +++ b/ics-attack/relationship/relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--17a99d74-4fcb-447d-931c-e18483496901", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1d6fa472-a1fe-4657-a60d-c7f1c39b1653", + "created": "2023-09-29T17:40:22.705Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:40:22.705Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57.json b/ics-attack/relationship/relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57.json new file mode 100644 index 0000000000..fdffb30c97 --- /dev/null +++ b/ics-attack/relationship/relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--bb8a7534-bfef-41c7-85b4-99e13f82e20c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1dad5efc-395f-4b92-8f4f-3e987a4d5e57", + "created": "2023-09-27T13:22:26.752Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-27T13:25:35.597Z", + "description": "(Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335.json b/ics-attack/relationship/relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335.json index d23eced50a..502cf12937 100644 --- a/ics-attack/relationship/relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335.json +++ b/ics-attack/relationship/relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--007cfc94-fb5b-4daa-8cb7-b5a5af17f35c", + "id": "bundle--3192f767-8fed-4e8c-b073-cba15ae9b373", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1e6da55a-ab6c-4583-9e20-583f82096497.json b/ics-attack/relationship/relationship--1e6da55a-ab6c-4583-9e20-583f82096497.json index 66e8b19d49..c399ca5f09 100644 --- a/ics-attack/relationship/relationship--1e6da55a-ab6c-4583-9e20-583f82096497.json +++ b/ics-attack/relationship/relationship--1e6da55a-ab6c-4583-9e20-583f82096497.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4907b689-04a5-4251-b1cb-f8f061d2397c", + "id": "bundle--71590032-c0d3-425f-94c3-e9c78da44d86", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042.json b/ics-attack/relationship/relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042.json index 93605ed15f..a521fde9ec 100644 --- a/ics-attack/relationship/relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042.json +++ b/ics-attack/relationship/relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--094a20d6-885c-4c3a-9584-a26c8869e5ac", + "id": "bundle--d45ae313-6d5b-4769-8de6-e0b48270f072", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e.json b/ics-attack/relationship/relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e.json new file mode 100644 index 0000000000..61c20bc77a --- /dev/null +++ b/ics-attack/relationship/relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--06843bef-fa65-4d52-9962-4322f9f43fa2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1f393d04-36db-4bae-a2a4-53ff12a1240e", + "created": "2023-09-28T21:12:25.345Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:12:25.345Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe.json b/ics-attack/relationship/relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe.json index 4f4fb81e1a..909357ebec 100644 --- a/ics-attack/relationship/relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe.json +++ b/ics-attack/relationship/relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--299272a4-7445-4ba2-a7cc-3ca9f6995319", + "id": "bundle--07d66b1d-fb4d-4b4a-b834-b0dbde166c91", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1f785984-791e-4612-be32-9ee6903a9c0b.json b/ics-attack/relationship/relationship--1f785984-791e-4612-be32-9ee6903a9c0b.json index 51c7a84662..a4825ed975 100644 --- a/ics-attack/relationship/relationship--1f785984-791e-4612-be32-9ee6903a9c0b.json +++ b/ics-attack/relationship/relationship--1f785984-791e-4612-be32-9ee6903a9c0b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d91a9d2f-4568-4017-b7a6-17d2df8fc229", + "id": "bundle--1e2409ce-2f36-42d0-9c55-ae3167bbbe02", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc.json b/ics-attack/relationship/relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc.json index 8145d337c2..84d0c35e8c 100644 --- a/ics-attack/relationship/relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc.json +++ b/ics-attack/relationship/relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--079f6c0a-9fe2-45b0-97ed-29baaeab8d49", + "id": "bundle--cb9a7b9d-eebc-4c93-b826-652784b65634", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1f87378c-49fb-4da5-8ed3-3672633d3713.json b/ics-attack/relationship/relationship--1f87378c-49fb-4da5-8ed3-3672633d3713.json index 2d5f4949c5..ef6ba7673a 100644 --- a/ics-attack/relationship/relationship--1f87378c-49fb-4da5-8ed3-3672633d3713.json +++ b/ics-attack/relationship/relationship--1f87378c-49fb-4da5-8ed3-3672633d3713.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fee5d9f7-d425-45ac-b89e-e7b276fb0e16", + "id": "bundle--d6a85cc9-39a3-4c5c-b4ef-c34fd1066913", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1f8abf6f-0dd0-4449-b555-733fe7296177.json b/ics-attack/relationship/relationship--1f8abf6f-0dd0-4449-b555-733fe7296177.json index 5f7d43d31c..b16ef998aa 100644 --- a/ics-attack/relationship/relationship--1f8abf6f-0dd0-4449-b555-733fe7296177.json +++ b/ics-attack/relationship/relationship--1f8abf6f-0dd0-4449-b555-733fe7296177.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b6b1ccdb-e1c0-490a-a1ac-8c4d21c68a2b", + "id": "bundle--5c40e58d-1f94-47b5-a3ab-54e416022b53", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json b/ics-attack/relationship/relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json index 30bca6fae3..837ac4620f 100644 --- a/ics-attack/relationship/relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json +++ b/ics-attack/relationship/relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b5a78159-aa27-423e-a97a-2747a1634eeb", + "id": "bundle--0b1c310b-73b3-4e31-8b77-0df05f54a0a6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8.json b/ics-attack/relationship/relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8.json new file mode 100644 index 0000000000..dbb2b1a4b3 --- /dev/null +++ b/ics-attack/relationship/relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--35c0f342-09bc-4f7a-9f8d-a0c645eac207", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1fd49958-9695-4137-9aaa-57fde4b97cc8", + "created": "2023-09-29T17:09:59.595Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:09:59.595Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json b/ics-attack/relationship/relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json index 32154f4c40..fb7486c804 100644 --- a/ics-attack/relationship/relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json +++ b/ics-attack/relationship/relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8a9d2e0f-65d6-4b38-8602-b6cd2b168da7", + "id": "bundle--1f47a7ca-236b-40ca-94f4-b5362096254d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3.json b/ics-attack/relationship/relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3.json new file mode 100644 index 0000000000..33a06eacb5 --- /dev/null +++ b/ics-attack/relationship/relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--36aff7d6-6f8b-4c9c-973d-75660ba398b1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--1fd5badc-0e9f-462c-9738-550e7e8d8ae3", + "created": "2023-09-28T19:54:37.802Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:54:37.802Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459.json b/ics-attack/relationship/relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459.json index b25850a9c1..118db93c00 100644 --- a/ics-attack/relationship/relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459.json +++ b/ics-attack/relationship/relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b804efc3-941f-4823-83cc-7a8892f4caae", + "id": "bundle--096ac735-a1df-4843-8e1b-dfee85bc701c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2057ec71-a94f-49cc-b348-2eeb44899afd.json b/ics-attack/relationship/relationship--2057ec71-a94f-49cc-b348-2eeb44899afd.json index 6d0f9ebd24..d43f522bc1 100644 --- a/ics-attack/relationship/relationship--2057ec71-a94f-49cc-b348-2eeb44899afd.json +++ b/ics-attack/relationship/relationship--2057ec71-a94f-49cc-b348-2eeb44899afd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3570313b-925e-40cd-9412-d30186c9e03a", + "id": "bundle--1ee7a851-5316-40eb-9143-9e6a5ef6f293", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--206cc4c8-797e-427b-86f1-4c81df391c6e.json b/ics-attack/relationship/relationship--206cc4c8-797e-427b-86f1-4c81df391c6e.json index 856182ae4a..c27b11d26b 100644 --- a/ics-attack/relationship/relationship--206cc4c8-797e-427b-86f1-4c81df391c6e.json +++ b/ics-attack/relationship/relationship--206cc4c8-797e-427b-86f1-4c81df391c6e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1fe0d720-31b2-4b35-bf94-c47e2799a4ae", + "id": "bundle--1f9581ec-4b74-4dee-8593-ca239bcc55e7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b.json b/ics-attack/relationship/relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b.json index e247975587..1eea89f126 100644 --- a/ics-attack/relationship/relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b.json +++ b/ics-attack/relationship/relationship--2087b2b9-3b30-45be-abcd-4320bf0fa66b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d8618c19-3ff8-437c-bdcb-b47861a48941", + "id": "bundle--1667ec51-b4eb-4fce-9549-aefa7dcd5fa3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f.json b/ics-attack/relationship/relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f.json index 2157b6a04b..7d6536370f 100644 --- a/ics-attack/relationship/relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f.json +++ b/ics-attack/relationship/relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1080fc8d-2baf-4a42-ae32-fdcc687dc3da", + "id": "bundle--da15f70d-812c-4e0b-a6b8-21f7723c9b63", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--208fe57b-cf2e-4188-8a6f-77597cd60351.json b/ics-attack/relationship/relationship--208fe57b-cf2e-4188-8a6f-77597cd60351.json new file mode 100644 index 0000000000..12880fc149 --- /dev/null +++ b/ics-attack/relationship/relationship--208fe57b-cf2e-4188-8a6f-77597cd60351.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--cafce9f5-25fe-481f-bfd2-07ff59b621d9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--208fe57b-cf2e-4188-8a6f-77597cd60351", + "created": "2023-09-29T17:44:43.317Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:44:43.317Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json b/ics-attack/relationship/relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json index 08c77cc93e..7fd32cfcff 100644 --- a/ics-attack/relationship/relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json +++ b/ics-attack/relationship/relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ef9fdd6f-43b4-40b6-a810-8b91bdecc625", + "id": "bundle--52c59f7c-9f3c-4228-8ff0-08c93ad9eb77", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--20f66fab-7a08-4707-ac79-92dac5acd11d.json b/ics-attack/relationship/relationship--20f66fab-7a08-4707-ac79-92dac5acd11d.json index 1c4a28de8c..7e6ed7fd7f 100644 --- a/ics-attack/relationship/relationship--20f66fab-7a08-4707-ac79-92dac5acd11d.json +++ b/ics-attack/relationship/relationship--20f66fab-7a08-4707-ac79-92dac5acd11d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--65b0a719-2115-478b-85ec-b752765aab47", + "id": "bundle--ca0aa3b5-af92-43bd-8020-32564faa8684", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--21041206-da58-45c7-adb0-db07caebdcb6.json b/ics-attack/relationship/relationship--21041206-da58-45c7-adb0-db07caebdcb6.json index ded01c05e2..10d75d4dde 100644 --- a/ics-attack/relationship/relationship--21041206-da58-45c7-adb0-db07caebdcb6.json +++ b/ics-attack/relationship/relationship--21041206-da58-45c7-adb0-db07caebdcb6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--300bebe9-f7fa-4911-b196-511ae563614a", + "id": "bundle--fe091109-044a-4014-8b4a-ddd4881facad", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--21058f32-3d6e-4381-9288-5c2248e84cce.json b/ics-attack/relationship/relationship--21058f32-3d6e-4381-9288-5c2248e84cce.json new file mode 100644 index 0000000000..19626ab08b --- /dev/null +++ b/ics-attack/relationship/relationship--21058f32-3d6e-4381-9288-5c2248e84cce.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3cc18510-ff1a-4f82-9dce-6caaf128397d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--21058f32-3d6e-4381-9288-5c2248e84cce", + "created": "2023-09-29T18:44:27.240Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:44:27.240Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--21134484-2d59-46b7-b878-527121fff1e3.json b/ics-attack/relationship/relationship--21134484-2d59-46b7-b878-527121fff1e3.json index 8fff698bad..a6bd4f24f9 100644 --- a/ics-attack/relationship/relationship--21134484-2d59-46b7-b878-527121fff1e3.json +++ b/ics-attack/relationship/relationship--21134484-2d59-46b7-b878-527121fff1e3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d9e86b48-2e2c-4c58-a4c9-a1421e41a3a5", + "id": "bundle--35aaa922-aa22-49ba-8c68-464398480b30", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4.json b/ics-attack/relationship/relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4.json new file mode 100644 index 0000000000..b467bf736a --- /dev/null +++ b/ics-attack/relationship/relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--882cb87f-c631-4446-8877-f5b602d8b3c8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2138f4ee-5111-4469-92bb-1fc82a6822b4", + "created": "2023-09-28T19:44:53.873Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:44:53.873Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--21470001-67f2-47cf-af21-784e5024ac1d.json b/ics-attack/relationship/relationship--21470001-67f2-47cf-af21-784e5024ac1d.json new file mode 100644 index 0000000000..b17c7f97d0 --- /dev/null +++ b/ics-attack/relationship/relationship--21470001-67f2-47cf-af21-784e5024ac1d.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3cf2eeea-d4d4-4bee-9f67-23cf505cd17b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--21470001-67f2-47cf-af21-784e5024ac1d", + "created": "2023-09-29T18:01:22.023Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:01:22.023Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--214eb531-411c-4b90-9dbf-dc0183cbb919.json b/ics-attack/relationship/relationship--214eb531-411c-4b90-9dbf-dc0183cbb919.json index c2688c51ac..83f6a9e4f8 100644 --- a/ics-attack/relationship/relationship--214eb531-411c-4b90-9dbf-dc0183cbb919.json +++ b/ics-attack/relationship/relationship--214eb531-411c-4b90-9dbf-dc0183cbb919.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cc466a7c-dd29-4262-bcd9-c2b894f52dfb", + "id": "bundle--e4502ada-5784-4779-9934-9cd51c55e324", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2159458f-87fc-4479-81f4-a2521a378221.json b/ics-attack/relationship/relationship--2159458f-87fc-4479-81f4-a2521a378221.json new file mode 100644 index 0000000000..0e6c089d2b --- /dev/null +++ b/ics-attack/relationship/relationship--2159458f-87fc-4479-81f4-a2521a378221.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b1db6c91-75ec-4e57-8261-aa110ae80696", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2159458f-87fc-4479-81f4-a2521a378221", + "created": "2023-09-28T21:22:09.790Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:22:09.790Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--21aa6331-3419-4049-b180-8349b71e1f2a.json b/ics-attack/relationship/relationship--21aa6331-3419-4049-b180-8349b71e1f2a.json new file mode 100644 index 0000000000..3160efe451 --- /dev/null +++ b/ics-attack/relationship/relationship--21aa6331-3419-4049-b180-8349b71e1f2a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--6f941dc0-df99-4183-8657-e6d4bb25d85f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--21aa6331-3419-4049-b180-8349b71e1f2a", + "created": "2023-09-28T21:11:03.947Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:11:03.947Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4.json b/ics-attack/relationship/relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4.json index 74615fdf71..725ed254ec 100644 --- a/ics-attack/relationship/relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4.json +++ b/ics-attack/relationship/relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--46a948d7-11c7-4017-877b-6df37adae8dd", + "id": "bundle--d2da500c-b236-4729-891e-3689a9e9a8b8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--220140ac-d927-4d86-9335-c04aa6ee3c61.json b/ics-attack/relationship/relationship--220140ac-d927-4d86-9335-c04aa6ee3c61.json index 97057f3046..8c58ff8135 100644 --- a/ics-attack/relationship/relationship--220140ac-d927-4d86-9335-c04aa6ee3c61.json +++ b/ics-attack/relationship/relationship--220140ac-d927-4d86-9335-c04aa6ee3c61.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--94c32541-1197-4e29-aaa9-2d5e9808b7b1", + "id": "bundle--e223dd5d-c939-4e6c-9189-6f1c7fcd82af", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--22448288-32d9-4d2c-be16-0784e119fff1.json b/ics-attack/relationship/relationship--22448288-32d9-4d2c-be16-0784e119fff1.json index 8caed54c09..6f857e3afb 100644 --- a/ics-attack/relationship/relationship--22448288-32d9-4d2c-be16-0784e119fff1.json +++ b/ics-attack/relationship/relationship--22448288-32d9-4d2c-be16-0784e119fff1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--90b99263-a025-4db6-9912-d42a0a192d60", + "id": "bundle--6fb5ba3d-f438-4bcd-a874-d683d43fb854", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--22548926-29b4-4882-9878-633375489c0e.json b/ics-attack/relationship/relationship--22548926-29b4-4882-9878-633375489c0e.json new file mode 100644 index 0000000000..90d38f69c1 --- /dev/null +++ b/ics-attack/relationship/relationship--22548926-29b4-4882-9878-633375489c0e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--7f0fc593-d874-4684-9ec6-76973237d2a5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--22548926-29b4-4882-9878-633375489c0e", + "created": "2023-09-28T20:30:50.842Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:30:50.842Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2289f005-7863-4af5-b681-cdfc03d3f111.json b/ics-attack/relationship/relationship--2289f005-7863-4af5-b681-cdfc03d3f111.json new file mode 100644 index 0000000000..84dde0f952 --- /dev/null +++ b/ics-attack/relationship/relationship--2289f005-7863-4af5-b681-cdfc03d3f111.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--20efb3a7-e1ad-4d0a-a5a5-35b004d40359", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2289f005-7863-4af5-b681-cdfc03d3f111", + "created": "2023-09-29T18:56:08.414Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:56:08.414Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe.json b/ics-attack/relationship/relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe.json index 638248db87..e9e142f661 100644 --- a/ics-attack/relationship/relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe.json +++ b/ics-attack/relationship/relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--52f2e11c-0889-4bca-98b9-bf5664a41c9f", + "id": "bundle--f2328f18-7063-439c-92e8-1fe61f8e93b7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--22ba5443-ea49-4076-a666-722eb5352f70.json b/ics-attack/relationship/relationship--22ba5443-ea49-4076-a666-722eb5352f70.json new file mode 100644 index 0000000000..aecf6a50f5 --- /dev/null +++ b/ics-attack/relationship/relationship--22ba5443-ea49-4076-a666-722eb5352f70.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ff2fec5f-0474-44de-923b-986640a04ecf", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--22ba5443-ea49-4076-a666-722eb5352f70", + "created": "2023-09-28T20:02:45.697Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:02:45.697Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--232c7049-7609-46a9-8bbe-38672713f853.json b/ics-attack/relationship/relationship--232c7049-7609-46a9-8bbe-38672713f853.json new file mode 100644 index 0000000000..f07442ef20 --- /dev/null +++ b/ics-attack/relationship/relationship--232c7049-7609-46a9-8bbe-38672713f853.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--08bd4586-52ca-4d6d-a9ec-ac2cec9d1bae", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--232c7049-7609-46a9-8bbe-38672713f853", + "created": "2023-09-28T21:15:32.371Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:15:32.371Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49.json b/ics-attack/relationship/relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49.json new file mode 100644 index 0000000000..b096009fe5 --- /dev/null +++ b/ics-attack/relationship/relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--5cb17e36-282a-49c9-8a5f-3eb5a124cfd8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2346cbf5-b3c8-4110-a66c-6194251d4d49", + "created": "2023-09-29T16:43:53.940Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:43:53.940Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--234da455-b795-4788-bc5d-22b4b58b2dc7.json b/ics-attack/relationship/relationship--234da455-b795-4788-bc5d-22b4b58b2dc7.json index 8848c7a79b..99fe9bc577 100644 --- a/ics-attack/relationship/relationship--234da455-b795-4788-bc5d-22b4b58b2dc7.json +++ b/ics-attack/relationship/relationship--234da455-b795-4788-bc5d-22b4b58b2dc7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8fde2fed-6eb5-4ce5-a912-3f2f7c5435df", + "id": "bundle--16f7a7c0-9413-4009-b228-a5f4debd7990", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf.json b/ics-attack/relationship/relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf.json index b7ff7d6d7c..4a25de36e6 100644 --- a/ics-attack/relationship/relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf.json +++ b/ics-attack/relationship/relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ce2a2972-12e6-4654-a877-c7a498bc6fbc", + "id": "bundle--bc720581-386a-40a8-9a06-12cfc3a809b3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json b/ics-attack/relationship/relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json index db8c6365a5..756250d491 100644 --- a/ics-attack/relationship/relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json +++ b/ics-attack/relationship/relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4f6b1fa1-bfe2-4502-a64c-0838950e62cc", + "id": "bundle--897c1d9a-c545-43e2-85c7-1f2f6afb4cf9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d.json b/ics-attack/relationship/relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d.json index ae673be4b5..ffe05bb8a7 100644 --- a/ics-attack/relationship/relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d.json +++ b/ics-attack/relationship/relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5c4b4174-afed-4995-9be2-3aec49da3994", + "id": "bundle--0a176ba4-1ff8-47cb-a52b-6b03324efab9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07.json b/ics-attack/relationship/relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07.json new file mode 100644 index 0000000000..dca26672f6 --- /dev/null +++ b/ics-attack/relationship/relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b7c140c7-bbc7-4daa-8d0a-4c3aadcffadb", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2452cc82-6ee0-4a98-a213-d5e3f3247e07", + "created": "2023-09-28T20:25:47.357Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:25:47.357Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--245c8c36-28e5-4508-a585-7768cb33299a.json b/ics-attack/relationship/relationship--245c8c36-28e5-4508-a585-7768cb33299a.json index 0b5da22900..d494dc28cb 100644 --- a/ics-attack/relationship/relationship--245c8c36-28e5-4508-a585-7768cb33299a.json +++ b/ics-attack/relationship/relationship--245c8c36-28e5-4508-a585-7768cb33299a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--db3b4a6b-7f98-440e-9a42-b8ef9fc26178", + "id": "bundle--cdf36ce0-0a04-4ee6-9cf5-2a71a2a00745", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--24885921-734f-46c1-85d7-3f79e0b886d6.json b/ics-attack/relationship/relationship--24885921-734f-46c1-85d7-3f79e0b886d6.json new file mode 100644 index 0000000000..b87255b62c --- /dev/null +++ b/ics-attack/relationship/relationship--24885921-734f-46c1-85d7-3f79e0b886d6.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--2e88915b-9a92-4541-ac7e-47ac471ee8d4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--24885921-734f-46c1-85d7-3f79e0b886d6", + "created": "2023-09-27T14:51:18.262Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.257Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet gateways with custom firmware to make systems either disabled, shutdown, and/or unrecoverable. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5.json b/ics-attack/relationship/relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5.json new file mode 100644 index 0000000000..7b221a50c1 --- /dev/null +++ b/ics-attack/relationship/relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--119d8325-c013-4bdc-b328-6486ddeb4ba6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--24d17e8f-0c0f-41d1-aa83-8b69b8d30be5", + "created": "2023-09-29T17:07:55.738Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:07:55.738Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe.json b/ics-attack/relationship/relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe.json new file mode 100644 index 0000000000..e3722773c1 --- /dev/null +++ b/ics-attack/relationship/relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a8bf37ef-263f-4816-babb-efb93d02bbeb", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--24e1f6cf-44c3-4a3f-9839-5cd6398cc0fe", + "created": "2023-09-28T20:10:06.838Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:10:06.838Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--250212f0-a149-4a14-af83-94f7fcedc021.json b/ics-attack/relationship/relationship--250212f0-a149-4a14-af83-94f7fcedc021.json new file mode 100644 index 0000000000..637aceb955 --- /dev/null +++ b/ics-attack/relationship/relationship--250212f0-a149-4a14-af83-94f7fcedc021.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--69443a51-e6e2-4980-afe3-52da422797c8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--250212f0-a149-4a14-af83-94f7fcedc021", + "created": "2023-09-28T20:26:29.934Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:26:29.934Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--25281488-be20-4d83-89d1-1da7ea836037.json b/ics-attack/relationship/relationship--25281488-be20-4d83-89d1-1da7ea836037.json new file mode 100644 index 0000000000..683d69d406 --- /dev/null +++ b/ics-attack/relationship/relationship--25281488-be20-4d83-89d1-1da7ea836037.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e72b524d-9780-4d61-b626-1ea206910bc6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--25281488-be20-4d83-89d1-1da7ea836037", + "created": "2023-09-29T17:40:47.898Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:40:47.898Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3.json b/ics-attack/relationship/relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3.json index 4422b8cfd7..0d05d541c0 100644 --- a/ics-attack/relationship/relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3.json +++ b/ics-attack/relationship/relationship--25ddb2e0-b945-45d2-a8a9-6e6d5c4401d3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a2335daa-bf06-4f1c-885c-8166f92a7ab3", + "id": "bundle--752a7575-1008-46ab-a33b-eff34bd681f0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--25e7ca82-2784-433a-90a9-a3483615a655.json b/ics-attack/relationship/relationship--25e7ca82-2784-433a-90a9-a3483615a655.json index 46d310be92..475f994d2c 100644 --- a/ics-attack/relationship/relationship--25e7ca82-2784-433a-90a9-a3483615a655.json +++ b/ics-attack/relationship/relationship--25e7ca82-2784-433a-90a9-a3483615a655.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c6800da9-fb3e-4a79-aee4-62676f01847f", + "id": "bundle--74ba3dd3-1802-4510-98a7-448280d5f9b5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--26254163-4f25-4d30-8456-ca093459ff32.json b/ics-attack/relationship/relationship--26254163-4f25-4d30-8456-ca093459ff32.json index 8f836aca74..c4ef720f6f 100644 --- a/ics-attack/relationship/relationship--26254163-4f25-4d30-8456-ca093459ff32.json +++ b/ics-attack/relationship/relationship--26254163-4f25-4d30-8456-ca093459ff32.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8537483d-219f-4d1e-95b7-fd80c0419502", + "id": "bundle--01673168-446f-477e-991a-01f629ff3808", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d.json b/ics-attack/relationship/relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d.json index 5bc1e8537d..cef3e2054d 100644 --- a/ics-attack/relationship/relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d.json +++ b/ics-attack/relationship/relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--84892977-978f-4350-98b2-7788c65478ad", + "id": "bundle--830705e4-d20c-4205-b1d9-0c4847c5a6a5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7.json b/ics-attack/relationship/relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7.json index cb1bdd4e05..3ff1af2b50 100644 --- a/ics-attack/relationship/relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7.json +++ b/ics-attack/relationship/relationship--268b9429-b1c6-4bc3-84cf-8512e8ef57a7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--76af9b52-9931-466a-bf3c-a38781bc69c3", + "id": "bundle--daf3954b-b4ed-4b23-998e-7428cf2b72de", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--26d68f5d-6ee5-4d98-b175-943366ccc038.json b/ics-attack/relationship/relationship--26d68f5d-6ee5-4d98-b175-943366ccc038.json index e93da7b8fc..6b9ea75ca0 100644 --- a/ics-attack/relationship/relationship--26d68f5d-6ee5-4d98-b175-943366ccc038.json +++ b/ics-attack/relationship/relationship--26d68f5d-6ee5-4d98-b175-943366ccc038.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--689cba1d-79ab-416a-a9f3-18e2b90c0a56", + "id": "bundle--5463d986-0b69-495a-a313-c8471baecb0b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--26e58427-a2bd-4e77-9939-16ef60a072e7.json b/ics-attack/relationship/relationship--26e58427-a2bd-4e77-9939-16ef60a072e7.json index 4421ff549b..11905cd0f0 100644 --- a/ics-attack/relationship/relationship--26e58427-a2bd-4e77-9939-16ef60a072e7.json +++ b/ics-attack/relationship/relationship--26e58427-a2bd-4e77-9939-16ef60a072e7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8f783069-303d-4ce9-8aea-28d1ad6640f5", + "id": "bundle--7828e8d5-2db8-4ea5-886c-fb1d5b34317b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json b/ics-attack/relationship/relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json index 8f31b36cf2..fbbecec05f 100644 --- a/ics-attack/relationship/relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json +++ b/ics-attack/relationship/relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c0a6b736-7567-46df-83eb-98cb22b90d0a", + "id": "bundle--515e8803-1820-4306-a57f-0c509450e6f7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--274994e7-1fe9-463a-9979-46c72107bf9b.json b/ics-attack/relationship/relationship--274994e7-1fe9-463a-9979-46c72107bf9b.json index 61c545f50b..dfd87a07b8 100644 --- a/ics-attack/relationship/relationship--274994e7-1fe9-463a-9979-46c72107bf9b.json +++ b/ics-attack/relationship/relationship--274994e7-1fe9-463a-9979-46c72107bf9b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aa8b2949-46d2-4da8-b505-49ccb304fea0", + "id": "bundle--1e1d4f63-d270-4164-868a-5307e5a50256", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--276aa6a6-e700-470a-8f72-02537ba7be9d.json b/ics-attack/relationship/relationship--276aa6a6-e700-470a-8f72-02537ba7be9d.json index 281c32aa86..bed3175c26 100644 --- a/ics-attack/relationship/relationship--276aa6a6-e700-470a-8f72-02537ba7be9d.json +++ b/ics-attack/relationship/relationship--276aa6a6-e700-470a-8f72-02537ba7be9d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c1a7c044-64e5-4363-bfaa-9ab7e4283275", + "id": "bundle--16b46c5c-b8fa-4303-a4a6-c0afec6431d0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2867f491-919b-463f-b689-bb3ceb7ae99f.json b/ics-attack/relationship/relationship--2867f491-919b-463f-b689-bb3ceb7ae99f.json index 19e0d8b5af..76e760eac8 100644 --- a/ics-attack/relationship/relationship--2867f491-919b-463f-b689-bb3ceb7ae99f.json +++ b/ics-attack/relationship/relationship--2867f491-919b-463f-b689-bb3ceb7ae99f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4af52a61-9aec-438f-9678-663f919b4375", + "id": "bundle--7fe0b074-2633-482b-bf0c-f8d8ddc00e4a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad.json b/ics-attack/relationship/relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad.json new file mode 100644 index 0000000000..ce9820cfc5 --- /dev/null +++ b/ics-attack/relationship/relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--97931764-5be5-41eb-926d-dce807bbade8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--287b247f-8ec3-4d8d-a521-050ac8c791ad", + "created": "2023-09-29T18:05:32.443Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:05:32.443Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a.json b/ics-attack/relationship/relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a.json index fe8163caf9..88efd388cc 100644 --- a/ics-attack/relationship/relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a.json +++ b/ics-attack/relationship/relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--002b1ea5-4647-4777-be15-538f7233d945", + "id": "bundle--a3092160-0cb3-46d8-b07c-478a123b4f9e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e.json b/ics-attack/relationship/relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e.json new file mode 100644 index 0000000000..991aa9f945 --- /dev/null +++ b/ics-attack/relationship/relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--90e906af-93cf-4392-88fe-0f213c55a629", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--28e89bca-04a2-462f-9d84-d5dc4d55d98e", + "created": "2023-09-28T21:26:47.115Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:26:47.115Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--296375b0-817d-4f42-afe1-4308f5edf973.json b/ics-attack/relationship/relationship--296375b0-817d-4f42-afe1-4308f5edf973.json new file mode 100644 index 0000000000..ee6ab45a24 --- /dev/null +++ b/ics-attack/relationship/relationship--296375b0-817d-4f42-afe1-4308f5edf973.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1495dcf7-4b12-4e90-a2c2-30e7960bd75c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--296375b0-817d-4f42-afe1-4308f5edf973", + "created": "2023-09-28T21:10:25.193Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:10:25.193Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2971151c-0e8a-4567-84dc-01cf5dd35005.json b/ics-attack/relationship/relationship--2971151c-0e8a-4567-84dc-01cf5dd35005.json index 105f81ed79..fbdfc7fa81 100644 --- a/ics-attack/relationship/relationship--2971151c-0e8a-4567-84dc-01cf5dd35005.json +++ b/ics-attack/relationship/relationship--2971151c-0e8a-4567-84dc-01cf5dd35005.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0ea42f88-dcd2-4c40-8fa9-5a2d85d67d59", + "id": "bundle--f0b6a953-aa5c-483b-8662-68f33fe25f34", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--29b85313-645b-4fb1-b5c2-f580d111760b.json b/ics-attack/relationship/relationship--29b85313-645b-4fb1-b5c2-f580d111760b.json index 4ab27e1527..7e4636b066 100644 --- a/ics-attack/relationship/relationship--29b85313-645b-4fb1-b5c2-f580d111760b.json +++ b/ics-attack/relationship/relationship--29b85313-645b-4fb1-b5c2-f580d111760b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6e81fb85-40c2-4a91-81f5-f51e2e7b8846", + "id": "bundle--a9411ecd-6665-4e69-8d74-614a945bc414", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81.json b/ics-attack/relationship/relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81.json new file mode 100644 index 0000000000..980fa8aa98 --- /dev/null +++ b/ics-attack/relationship/relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--bfeb6601-c30b-47b6-8148-7ec37e9a4fca", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--29c2757d-c5f6-4c8d-bbdd-3629cb14dd81", + "created": "2023-09-29T18:46:39.854Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:46:39.854Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2a451896-81aa-4eed-a444-4d04661adeeb.json b/ics-attack/relationship/relationship--2a451896-81aa-4eed-a444-4d04661adeeb.json new file mode 100644 index 0000000000..8e0331358a --- /dev/null +++ b/ics-attack/relationship/relationship--2a451896-81aa-4eed-a444-4d04661adeeb.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--7263e1d5-8641-4bb2-9c4a-590d77c9efcc", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2a451896-81aa-4eed-a444-4d04661adeeb", + "created": "2023-09-29T16:43:42.911Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:43:42.911Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe.json b/ics-attack/relationship/relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe.json new file mode 100644 index 0000000000..5520cef9bb --- /dev/null +++ b/ics-attack/relationship/relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--70939842-c5ff-48db-9f40-86cf18c51d19", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2aaa6840-47fc-455c-9b19-1d27c3afccbe", + "created": "2023-09-28T19:38:46.361Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:38:46.361Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566.json b/ics-attack/relationship/relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566.json index 1ddf53d7a5..59aaaf5015 100644 --- a/ics-attack/relationship/relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566.json +++ b/ics-attack/relationship/relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--53a74921-c980-484d-98d7-753e7cad5063", + "id": "bundle--411e1ab1-19c7-42e0-9b0b-629551d1d68c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1.json b/ics-attack/relationship/relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1.json new file mode 100644 index 0000000000..f2086f9147 --- /dev/null +++ b/ics-attack/relationship/relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--6e1baa9d-bec5-4d2d-ae2d-0fd8aca35f92", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2b7d57d7-3802-4b59-99c6-1e1597fe78d1", + "created": "2023-09-29T18:46:54.684Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:46:54.684Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2c641542-2e18-4943-849a-7141b7da4fcd.json b/ics-attack/relationship/relationship--2c641542-2e18-4943-849a-7141b7da4fcd.json deleted file mode 100644 index 3f49ae9ad5..0000000000 --- a/ics-attack/relationship/relationship--2c641542-2e18-4943-849a-7141b7da4fcd.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--d4b8e03a-026a-47c8-95cc-4b6fa5642ab6", - "spec_version": "2.0", - "objects": [ - { - "type": "relationship", - "id": "relationship--2c641542-2e18-4943-849a-7141b7da4fcd", - "created": "2022-09-20T20:54:36.422Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Pinellas County Sheriffs Office February 2021", - "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", - "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-18T13:25:27.955Z", - "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors raised the sodium hydroxide setpoint value from 100 part-per-million (ppm) to 11,100 ppm, far beyond normal operating levels.(Citation: Pinellas County Sheriffs Office February 2021)", - "relationship_type": "uses", - "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - } - ] -} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2c6f9c9e-efa9-4a87-aadf-64b2aeeaa09a.json b/ics-attack/relationship/relationship--2c6f9c9e-efa9-4a87-aadf-64b2aeeaa09a.json deleted file mode 100644 index eb3d22083e..0000000000 --- a/ics-attack/relationship/relationship--2c6f9c9e-efa9-4a87-aadf-64b2aeeaa09a.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--aecb7f28-d6e6-4472-8aeb-1c12002a7005", - "spec_version": "2.0", - "objects": [ - { - "type": "relationship", - "id": "relationship--2c6f9c9e-efa9-4a87-aadf-64b2aeeaa09a", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:54:43.581Z", - "description": "In the 2015 attack on the Ukrainian power grid, the [Sandworm Team](https://attack.mitre.org/groups/G0034) scheduled disconnects of uninterruptable power supply (UPS) systems so that when power was disconnected from the substations, the devices would shut down and service could not be recovered. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - } - ] -} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2c79920a-f2d1-4114-a1df-924835da645c.json b/ics-attack/relationship/relationship--2c79920a-f2d1-4114-a1df-924835da645c.json new file mode 100644 index 0000000000..f52df6ab48 --- /dev/null +++ b/ics-attack/relationship/relationship--2c79920a-f2d1-4114-a1df-924835da645c.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--5467e183-3188-4639-92c3-31ffe8046a09", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2c79920a-f2d1-4114-a1df-924835da645c", + "created": "2023-09-28T19:53:00.672Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:53:00.672Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46.json b/ics-attack/relationship/relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46.json index fbf4fd52a0..9083e17ea6 100644 --- a/ics-attack/relationship/relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46.json +++ b/ics-attack/relationship/relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8af14cda-3893-47dc-acf5-24f9c83e6bee", + "id": "bundle--5a605c2b-18c5-4a7e-91f0-0d7ba38f7ace", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64.json b/ics-attack/relationship/relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64.json index b1b6d234da..55ff258bae 100644 --- a/ics-attack/relationship/relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64.json +++ b/ics-attack/relationship/relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a036c565-913f-4b6d-b97f-2acea033b08c", + "id": "bundle--09cfb344-529c-4c1f-bca7-d2456319efca", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919.json b/ics-attack/relationship/relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919.json index e09f13709d..8ec44c22f6 100644 --- a/ics-attack/relationship/relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919.json +++ b/ics-attack/relationship/relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--46137f4e-f809-45fb-b3d0-5bdc5372abe5", + "id": "bundle--4b9227e7-9e7f-4188-a5ec-0fadd15466d5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2.json b/ics-attack/relationship/relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2.json new file mode 100644 index 0000000000..6910a827ad --- /dev/null +++ b/ics-attack/relationship/relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a0279e7d-84ae-4e64-97ec-d92eafc58e88", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2d0bed1d-342b-44a0-aec8-e6d7c6596fa2", + "created": "2023-09-29T16:33:12.887Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:33:12.887Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0.json b/ics-attack/relationship/relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0.json index 9b279c7996..6cac50e648 100644 --- a/ics-attack/relationship/relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0.json +++ b/ics-attack/relationship/relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--232c7741-781b-464e-8edf-0013e3f69317", + "id": "bundle--65f77f41-b0ef-4a34-b3a6-adbfe35efa50", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json b/ics-attack/relationship/relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json index 20968419ac..2cafa313d6 100644 --- a/ics-attack/relationship/relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json +++ b/ics-attack/relationship/relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6a392eee-f9a1-4733-9439-f01752bbd543", + "id": "bundle--d2199a45-2359-43d1-a6b2-3688000e3a82", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe.json b/ics-attack/relationship/relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe.json new file mode 100644 index 0000000000..4a3682cbef --- /dev/null +++ b/ics-attack/relationship/relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--9b9781d3-f40f-417e-bf89-a7bcbaeab383", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2dc39956-05d1-4dd5-86db-cb70568d73fe", + "created": "2023-09-29T17:39:15.857Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:39:15.857Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2e0769d7-088e-45d5-a262-6dbc91a95073.json b/ics-attack/relationship/relationship--2e0769d7-088e-45d5-a262-6dbc91a95073.json index ff3a66322a..e661ac83cb 100644 --- a/ics-attack/relationship/relationship--2e0769d7-088e-45d5-a262-6dbc91a95073.json +++ b/ics-attack/relationship/relationship--2e0769d7-088e-45d5-a262-6dbc91a95073.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1bbdcfa1-1443-400f-88ba-84fa29ac44c6", + "id": "bundle--ed434772-cf30-4101-b31a-b739910de2f1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a.json b/ics-attack/relationship/relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a.json new file mode 100644 index 0000000000..983878fb70 --- /dev/null +++ b/ics-attack/relationship/relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d00f55c5-8e37-42db-bb86-321f78219421", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2e32e0fd-24cf-4a41-b56d-98ada9f1db8a", + "created": "2023-09-28T19:40:51.425Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:40:51.425Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7.json b/ics-attack/relationship/relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7.json index af114ff220..1151d0c2d9 100644 --- a/ics-attack/relationship/relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7.json +++ b/ics-attack/relationship/relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8f913481-146b-4e4a-8a06-162334c25ebf", + "id": "bundle--b55bf56f-048b-413f-91c2-f521e33b2d39", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5.json b/ics-attack/relationship/relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5.json index e55a7864fa..c5d5527fd7 100644 --- a/ics-attack/relationship/relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5.json +++ b/ics-attack/relationship/relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f6c6005c-f8ec-4e77-9aa7-c426bd58a728", + "id": "bundle--4464525d-f52a-4977-b8be-3cbdeefe30da", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552.json b/ics-attack/relationship/relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552.json index 29c0570688..2f50111800 100644 --- a/ics-attack/relationship/relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552.json +++ b/ics-attack/relationship/relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3c621cee-6699-41fe-9aba-6e6157197436", + "id": "bundle--6b781442-227e-471e-ad25-7282818b8537", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8.json b/ics-attack/relationship/relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8.json new file mode 100644 index 0000000000..f54fb86839 --- /dev/null +++ b/ics-attack/relationship/relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3161607a-0901-412d-aa4b-2e17432f8a7b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2ecf9476-b546-44ff-8547-4ca56cf7eeb8", + "created": "2023-09-28T20:02:05.365Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:02:05.365Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f.json b/ics-attack/relationship/relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f.json new file mode 100644 index 0000000000..bde3faff52 --- /dev/null +++ b/ics-attack/relationship/relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--f097a159-7d66-4b3a-935f-87c9515f93fb", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2f0d1a71-7cb6-4979-b072-a859d117d47f", + "created": "2023-09-27T14:47:29.337Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + }, + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.258Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used valid accounts to laterally move through VPN connections and dual-homed systems. Sandworm Team used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2f457bef-1721-4e0f-b236-24e4652a31b4.json b/ics-attack/relationship/relationship--2f457bef-1721-4e0f-b236-24e4652a31b4.json new file mode 100644 index 0000000000..a94a298165 --- /dev/null +++ b/ics-attack/relationship/relationship--2f457bef-1721-4e0f-b236-24e4652a31b4.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1d151b54-841d-493b-81a3-5d466dfa4080", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2f457bef-1721-4e0f-b236-24e4652a31b4", + "created": "2023-09-29T16:29:53.181Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:29:53.181Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json b/ics-attack/relationship/relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json index 19054321ea..a8863e5a2a 100644 --- a/ics-attack/relationship/relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json +++ b/ics-attack/relationship/relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ad232637-0ac5-4c1d-b0c0-178e6bfcf07d", + "id": "bundle--62d0ceb3-c3dc-466f-bb5e-47df69a37bf6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json b/ics-attack/relationship/relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json index 452b940fdb..549ae5e407 100644 --- a/ics-attack/relationship/relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json +++ b/ics-attack/relationship/relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--be15e7ba-5684-42f8-aec6-90f430bcf042", + "id": "bundle--7b4ab82b-fd18-4c5d-849b-8d51f0ffd37f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50.json b/ics-attack/relationship/relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50.json new file mode 100644 index 0000000000..b67130aebf --- /dev/null +++ b/ics-attack/relationship/relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c81e1e1d-9fde-44ec-8302-cf86544a2a10", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2f9c25af-d2e2-4793-85bf-6e2696384a50", + "created": "2023-09-28T20:30:21.865Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:30:21.865Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e.json b/ics-attack/relationship/relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e.json index 577efd0c82..44ab1ca287 100644 --- a/ics-attack/relationship/relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e.json +++ b/ics-attack/relationship/relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8639f1f2-8bea-4ec7-bec4-62f20870f003", + "id": "bundle--b2d117ce-e8e2-4175-afc3-d9fc7d15913a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json b/ics-attack/relationship/relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json index 6403a4cb29..00c9ed3bd7 100644 --- a/ics-attack/relationship/relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json +++ b/ics-attack/relationship/relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5c31d7bb-33f5-402b-ab95-d676ae73b405", + "id": "bundle--19eacabe-297c-46ec-89a4-1067834046c3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9.json b/ics-attack/relationship/relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9.json new file mode 100644 index 0000000000..c4c95965c6 --- /dev/null +++ b/ics-attack/relationship/relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3e75beb7-f8e3-4e93-b70d-32764172f7ed", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2fd8a76f-4663-4251-a16d-e1f105a854f9", + "created": "2023-09-28T19:43:28.167Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:43:28.167Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2fe222c4-cc81-473d-956e-235e2961a5c3.json b/ics-attack/relationship/relationship--2fe222c4-cc81-473d-956e-235e2961a5c3.json new file mode 100644 index 0000000000..613c227a4e --- /dev/null +++ b/ics-attack/relationship/relationship--2fe222c4-cc81-473d-956e-235e2961a5c3.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8a430a85-d422-4b69-9f97-a13afa482f5a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--2fe222c4-cc81-473d-956e-235e2961a5c3", + "created": "2023-09-29T17:04:26.769Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:04:26.769Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--2ff82993-5010-4450-89e7-341f449f3263.json b/ics-attack/relationship/relationship--2ff82993-5010-4450-89e7-341f449f3263.json index 085fd1c8fe..b9454e29c4 100644 --- a/ics-attack/relationship/relationship--2ff82993-5010-4450-89e7-341f449f3263.json +++ b/ics-attack/relationship/relationship--2ff82993-5010-4450-89e7-341f449f3263.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--73cdefbc-0d15-404a-b9b7-cea1e2e37fd4", + "id": "bundle--485c65db-60f9-4d67-9de1-697aed79c059", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2fffbea8-c031-4de8-a451-447bbbe3e224.json b/ics-attack/relationship/relationship--2fffbea8-c031-4de8-a451-447bbbe3e224.json index ee089f1566..c7da94561a 100644 --- a/ics-attack/relationship/relationship--2fffbea8-c031-4de8-a451-447bbbe3e224.json +++ b/ics-attack/relationship/relationship--2fffbea8-c031-4de8-a451-447bbbe3e224.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--50ca77bb-73ed-4263-aae7-6e3a99c1b67c", + "id": "bundle--ff13f71e-75fa-4379-8045-b8bfe6d2b311", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--305866af-1f36-49e0-a57d-d5faaf29011c.json b/ics-attack/relationship/relationship--305866af-1f36-49e0-a57d-d5faaf29011c.json new file mode 100644 index 0000000000..3d81006a49 --- /dev/null +++ b/ics-attack/relationship/relationship--305866af-1f36-49e0-a57d-d5faaf29011c.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--86c7aaff-aecb-403c-9827-d6a116a7649b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--305866af-1f36-49e0-a57d-d5faaf29011c", + "created": "2023-09-28T20:34:52.740Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:34:52.740Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--309e4558-e591-4d03-9bb9-07d30acf011f.json b/ics-attack/relationship/relationship--309e4558-e591-4d03-9bb9-07d30acf011f.json index 5be93188ff..3b922a84f0 100644 --- a/ics-attack/relationship/relationship--309e4558-e591-4d03-9bb9-07d30acf011f.json +++ b/ics-attack/relationship/relationship--309e4558-e591-4d03-9bb9-07d30acf011f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--64c266f4-6e37-4f05-bb87-1d8775d12474", + "id": "bundle--c80b216d-d93f-4a37-b309-8560da54dc26", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--31203165-79d0-42e5-81f1-62150dea2c43.json b/ics-attack/relationship/relationship--31203165-79d0-42e5-81f1-62150dea2c43.json index 205fdcd569..3e11c505e1 100644 --- a/ics-attack/relationship/relationship--31203165-79d0-42e5-81f1-62150dea2c43.json +++ b/ics-attack/relationship/relationship--31203165-79d0-42e5-81f1-62150dea2c43.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e2875c2d-c375-48f8-85f2-fdacf77708bf", + "id": "bundle--cf8353b2-9546-4b65-9b2a-5543d128e427", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--31897c41-1d47-4a34-b531-21c3f74651a8.json b/ics-attack/relationship/relationship--31897c41-1d47-4a34-b531-21c3f74651a8.json index cbdf4079be..c74414e772 100644 --- a/ics-attack/relationship/relationship--31897c41-1d47-4a34-b531-21c3f74651a8.json +++ b/ics-attack/relationship/relationship--31897c41-1d47-4a34-b531-21c3f74651a8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--473edc29-56ea-4d56-89e7-0272bd936e03", + "id": "bundle--93ca6d6d-0628-4752-84da-a34870b9a165", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33.json b/ics-attack/relationship/relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33.json index 2f2d95eeef..7f29b3005d 100644 --- a/ics-attack/relationship/relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33.json +++ b/ics-attack/relationship/relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f3f28e6a-949d-49a5-b9c3-5c8b1f2e55c3", + "id": "bundle--ff5f6c4a-460e-4921-997c-9aa2fd8a9259", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a.json b/ics-attack/relationship/relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a.json new file mode 100644 index 0000000000..8bb4a8b3a9 --- /dev/null +++ b/ics-attack/relationship/relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--32de40a9-a89c-457c-8712-7a9be72148f9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--31d7e048-92fc-4b63-b0d5-28b64b39797a", + "created": "2023-10-02T20:18:11.933Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:18:11.933Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce.json b/ics-attack/relationship/relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce.json new file mode 100644 index 0000000000..ef5bbb8a75 --- /dev/null +++ b/ics-attack/relationship/relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f73d0a74-d7ce-4317-9168-490c9178360d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3212de2a-6635-4b95-aeb4-9c0744aed2ce", + "created": "2023-09-28T21:16:44.471Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:16:44.471Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--321fc522-bc6b-4975-bee4-9098624d1e8c.json b/ics-attack/relationship/relationship--321fc522-bc6b-4975-bee4-9098624d1e8c.json index 027639f8c8..45baeb3ff5 100644 --- a/ics-attack/relationship/relationship--321fc522-bc6b-4975-bee4-9098624d1e8c.json +++ b/ics-attack/relationship/relationship--321fc522-bc6b-4975-bee4-9098624d1e8c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a82b9bf4-1cbc-4725-8efa-dda9c183977d", + "id": "bundle--2a4d91e3-3b7b-483d-8225-305aab8c2096", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5.json b/ics-attack/relationship/relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5.json new file mode 100644 index 0000000000..e0ad6d4c35 --- /dev/null +++ b/ics-attack/relationship/relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--65b209c4-a9fe-48f0-b339-e430d09f3c40", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--32438a90-406c-40f7-a5ac-a1ca92cd51d5", + "created": "2023-09-28T20:26:15.542Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:26:15.542Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--327916f7-fe5d-4858-adeb-f72f74c60c25.json b/ics-attack/relationship/relationship--327916f7-fe5d-4858-adeb-f72f74c60c25.json index 569dcac0f2..8e3673d305 100644 --- a/ics-attack/relationship/relationship--327916f7-fe5d-4858-adeb-f72f74c60c25.json +++ b/ics-attack/relationship/relationship--327916f7-fe5d-4858-adeb-f72f74c60c25.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b2a4698a-e3cc-4893-9e19-2e0e39bc3b8a", + "id": "bundle--8b36dd65-5f71-4a62-a574-f8682aadeae2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b.json b/ics-attack/relationship/relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b.json new file mode 100644 index 0000000000..62b9f707e7 --- /dev/null +++ b/ics-attack/relationship/relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ff9f918f-7582-4cc0-8ea6-341fb8de5051", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--327f65bc-8a33-4dbb-88d4-714a9e42442b", + "created": "2023-09-28T21:21:07.833Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:21:07.833Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b.json b/ics-attack/relationship/relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b.json new file mode 100644 index 0000000000..92ffac36b8 --- /dev/null +++ b/ics-attack/relationship/relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--475f9c10-1ff8-44a9-8331-924b0b66ab63", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--32bcf2cf-3311-4ef1-9bf4-4bfe14832b3b", + "created": "2023-09-28T20:10:23.215Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:10:23.215Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--32d15d1a-04ba-4035-907a-e2871425e8d1.json b/ics-attack/relationship/relationship--32d15d1a-04ba-4035-907a-e2871425e8d1.json new file mode 100644 index 0000000000..3e1d9ca376 --- /dev/null +++ b/ics-attack/relationship/relationship--32d15d1a-04ba-4035-907a-e2871425e8d1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--477ba799-1b5c-4a78-9ca7-a473f028c9c5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--32d15d1a-04ba-4035-907a-e2871425e8d1", + "created": "2023-09-28T20:28:40.722Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:28:40.722Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--32dbed4e-4dbe-4872-a013-c96111ed102e.json b/ics-attack/relationship/relationship--32dbed4e-4dbe-4872-a013-c96111ed102e.json deleted file mode 100644 index 3847da4ec0..0000000000 --- a/ics-attack/relationship/relationship--32dbed4e-4dbe-4872-a013-c96111ed102e.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--0c222849-2b4d-487b-bcaa-550b6c235f82", - "spec_version": "2.0", - "objects": [ - { - "type": "relationship", - "id": "relationship--32dbed4e-4dbe-4872-a013-c96111ed102e", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - }, - { - "source_name": "ICS-CERT February 2016", - "description": "ICS-CERT 2016, February 25 Cyber-Attack Against Ukrainian Critical Infrastructure Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01" - }, - { - "source_name": "John Hultquist January 2016", - "description": "John Hultquist 2016, January 07 Sandworm Team and the Ukrainian Power Authority Attacks Retrieved. 2019/03/08 ", - "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html" - }, - { - "source_name": "Zetter, Kim March 2016", - "description": "Zetter, Kim 2016, March 03 INSIDE THE CUNNING, UNPRECEDENTED HACK OF UKRAINE'S POWER GRID Retrieved. 2019/03/08 ", - "url": "https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:54:58.823Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) harvested VPN worker credentials and used them to remotely log into control system networks. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016) (Citation: Zetter, Kim March 2016) (Citation: ICS-CERT February 2016) (Citation: John Hultquist January 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - } - ] -} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json b/ics-attack/relationship/relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json index 09cab7a71b..39afbfe8cb 100644 --- a/ics-attack/relationship/relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json +++ b/ics-attack/relationship/relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e2c5194b-ba41-4a90-916c-734765e16063", + "id": "bundle--ec66b579-6422-4ca3-8831-c4baf21f2e61", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3334e647-fd5d-481d-a7f9-66f73911a57a.json b/ics-attack/relationship/relationship--3334e647-fd5d-481d-a7f9-66f73911a57a.json new file mode 100644 index 0000000000..3c9674130e --- /dev/null +++ b/ics-attack/relationship/relationship--3334e647-fd5d-481d-a7f9-66f73911a57a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4d441a0e-fc48-40e6-a99c-acbda90b5f20", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3334e647-fd5d-481d-a7f9-66f73911a57a", + "created": "2023-09-28T19:45:30.291Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:45:30.291Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8.json b/ics-attack/relationship/relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8.json index 4eb562316c..0fec0b9eef 100644 --- a/ics-attack/relationship/relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8.json +++ b/ics-attack/relationship/relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--09790430-5cba-44fc-a2cf-25f7b5a16ad5", + "id": "bundle--e2829991-9f72-4e09-8368-7bf82865cc45", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7.json b/ics-attack/relationship/relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7.json new file mode 100644 index 0000000000..7841c0db6c --- /dev/null +++ b/ics-attack/relationship/relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--eaf16bc1-e165-4c72-a2fe-4d035b7adefb", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--33bc3e6f-e8cb-40ea-8088-3de39e2490a7", + "created": "2023-09-29T16:47:08.696Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:47:08.696Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5.json b/ics-attack/relationship/relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5.json new file mode 100644 index 0000000000..995d1a1e3d --- /dev/null +++ b/ics-attack/relationship/relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8cef8ab3-0e38-4856-8ce2-43992c4c3485", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--33e33c74-2f17-4bac-bbba-bf4f2a2035e5", + "created": "2023-09-29T18:07:41.540Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:07:41.540Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3439d550-61d5-40b4-a514-341509d3f701.json b/ics-attack/relationship/relationship--3439d550-61d5-40b4-a514-341509d3f701.json index 50daa3476b..98feaa45ca 100644 --- a/ics-attack/relationship/relationship--3439d550-61d5-40b4-a514-341509d3f701.json +++ b/ics-attack/relationship/relationship--3439d550-61d5-40b4-a514-341509d3f701.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--040bb9d1-1bc3-4d3f-a9d5-a00d0014e24e", + "id": "bundle--74f01aee-4a46-4de1-8646-940c03ad107f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3471632d-253d-469e-9e8c-3b291b4ae88a.json b/ics-attack/relationship/relationship--3471632d-253d-469e-9e8c-3b291b4ae88a.json new file mode 100644 index 0000000000..fd5e6fb11b --- /dev/null +++ b/ics-attack/relationship/relationship--3471632d-253d-469e-9e8c-3b291b4ae88a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ea0b205c-2abb-4569-88cf-23431080a0a5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3471632d-253d-469e-9e8c-3b291b4ae88a", + "created": "2023-09-28T21:14:15.274Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:14:15.274Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3478c49c-594b-4224-b7f9-2b0b09c67288.json b/ics-attack/relationship/relationship--3478c49c-594b-4224-b7f9-2b0b09c67288.json index 753d366b3c..604b379a4e 100644 --- a/ics-attack/relationship/relationship--3478c49c-594b-4224-b7f9-2b0b09c67288.json +++ b/ics-attack/relationship/relationship--3478c49c-594b-4224-b7f9-2b0b09c67288.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9a6000e7-4fa7-4ecb-90ef-a3853a26bf31", + "id": "bundle--edc83229-4cf3-4d1e-8ca8-7825ccbe4c5c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json b/ics-attack/relationship/relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json index 407083ca9b..6573533118 100644 --- a/ics-attack/relationship/relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json +++ b/ics-attack/relationship/relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2164fa8a-417f-4cd5-a6a6-b7bb63443d41", + "id": "bundle--9bfae952-252f-4fd5-abfd-c303ca1ae553", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json b/ics-attack/relationship/relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json index ac7fc2e162..71ac384bc3 100644 --- a/ics-attack/relationship/relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json +++ b/ics-attack/relationship/relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b98fc7bf-a2f3-4ea2-8c74-6460b98bfeca", + "id": "bundle--6c717f9a-d55e-4c73-a0f1-312c2f540888", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a.json b/ics-attack/relationship/relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a.json index 81103474e9..661665afaa 100644 --- a/ics-attack/relationship/relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a.json +++ b/ics-attack/relationship/relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3223bae0-c01c-4d5c-ad03-955e7bcf9c5d", + "id": "bundle--c0c39209-192b-477b-8511-13cd183d8868", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--351e19c4-c16e-493a-9800-a433107aacf1.json b/ics-attack/relationship/relationship--351e19c4-c16e-493a-9800-a433107aacf1.json index 28d7bdc21c..99cf0f3def 100644 --- a/ics-attack/relationship/relationship--351e19c4-c16e-493a-9800-a433107aacf1.json +++ b/ics-attack/relationship/relationship--351e19c4-c16e-493a-9800-a433107aacf1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4c47552a-8d9f-4a96-917e-2aa3c9715508", + "id": "bundle--2050a08f-649f-4044-abea-bfdd1de273f8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3526acc8-8834-4aaa-87a5-51e587360cf5.json b/ics-attack/relationship/relationship--3526acc8-8834-4aaa-87a5-51e587360cf5.json new file mode 100644 index 0000000000..6d95ac8d95 --- /dev/null +++ b/ics-attack/relationship/relationship--3526acc8-8834-4aaa-87a5-51e587360cf5.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d351cd4f-9a66-412d-99ce-3146a0c3299b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3526acc8-8834-4aaa-87a5-51e587360cf5", + "created": "2023-09-29T18:45:47.394Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:45:47.394Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--352ed52c-88ba-4731-a917-4c33da0f29d4.json b/ics-attack/relationship/relationship--352ed52c-88ba-4731-a917-4c33da0f29d4.json new file mode 100644 index 0000000000..e9f3c9a49b --- /dev/null +++ b/ics-attack/relationship/relationship--352ed52c-88ba-4731-a917-4c33da0f29d4.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--ca4221aa-b0f1-4dae-81ea-5f17184e8538", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--352ed52c-88ba-4731-a917-4c33da0f29d4", + "created": "2023-09-27T14:44:00.588Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Andy Greenberg June 2017", + "description": "Andy Greenberg. (2017, June 28). How an Entire Nation Became Russia's Test Lab for Cyberwar. Retrieved September 27, 2023.", + "url": "https://www.wired.com/story/russian-hackers-attack-ukraine/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-27T15:19:15.124Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used an IT helpdesk software to move the mouse on ICS control devices to maliciously release electricity breakers. (Citation: Andy Greenberg June 2017)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52.json b/ics-attack/relationship/relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52.json index fe528d32d3..afe67c69dd 100644 --- a/ics-attack/relationship/relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52.json +++ b/ics-attack/relationship/relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--beaf1b83-f947-4f9a-bbab-856e28580adf", + "id": "bundle--f7a0a27c-7431-48d8-8058-d0bccc5d20a2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3618a010-b94b-4974-b1be-7630d5c853c1.json b/ics-attack/relationship/relationship--3618a010-b94b-4974-b1be-7630d5c853c1.json index 0ed65c40b7..592e057b1b 100644 --- a/ics-attack/relationship/relationship--3618a010-b94b-4974-b1be-7630d5c853c1.json +++ b/ics-attack/relationship/relationship--3618a010-b94b-4974-b1be-7630d5c853c1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d4ccd0fe-5ce0-4683-90fd-c6ef35243f9f", + "id": "bundle--8c142c0b-e3c5-4124-8681-1d76bb9754ac", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4.json b/ics-attack/relationship/relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4.json index 5378e27a4a..2ebfb498e0 100644 --- a/ics-attack/relationship/relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4.json +++ b/ics-attack/relationship/relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--df204bd6-747e-48c0-b054-527832a6ecfb", + "id": "bundle--27a88183-fb6a-4850-b6e0-072fe355b91d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--366a4cd1-aa95-4985-9d80-b45a2551e298.json b/ics-attack/relationship/relationship--366a4cd1-aa95-4985-9d80-b45a2551e298.json index 9461b8f294..1479158ce0 100644 --- a/ics-attack/relationship/relationship--366a4cd1-aa95-4985-9d80-b45a2551e298.json +++ b/ics-attack/relationship/relationship--366a4cd1-aa95-4985-9d80-b45a2551e298.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--228bca0b-b49c-463b-8778-dae5af2030dc", + "id": "bundle--59d0b2f9-5c34-4fa5-91dd-42419a232716", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d.json b/ics-attack/relationship/relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d.json new file mode 100644 index 0000000000..1378b1ddf3 --- /dev/null +++ b/ics-attack/relationship/relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--98d9e357-8890-45e1-9d7c-1537cf61fb17", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--368558ce-e8a6-4375-b54f-47c2ab31e38d", + "created": "2023-09-28T20:29:27.153Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:29:27.153Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--37048032-b41d-47d8-9c73-7b706bef24d1.json b/ics-attack/relationship/relationship--37048032-b41d-47d8-9c73-7b706bef24d1.json new file mode 100644 index 0000000000..35696cc3c8 --- /dev/null +++ b/ics-attack/relationship/relationship--37048032-b41d-47d8-9c73-7b706bef24d1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--58bab2e6-5040-4770-aa61-86c53df4d3f6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--37048032-b41d-47d8-9c73-7b706bef24d1", + "created": "2023-09-28T20:27:58.625Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:27:58.625Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be.json b/ics-attack/relationship/relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be.json new file mode 100644 index 0000000000..8d24bd18bf --- /dev/null +++ b/ics-attack/relationship/relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--aa74fb88-c15f-41b4-8cee-ff2e74a0a1d2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--372c2e72-d56a-4501-a3bc-31b6b0c8d0be", + "created": "2023-09-28T21:13:36.185Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:13:36.185Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3731962f-64e7-4750-ac8b-40b97eef8725.json b/ics-attack/relationship/relationship--3731962f-64e7-4750-ac8b-40b97eef8725.json new file mode 100644 index 0000000000..ca80d241cf --- /dev/null +++ b/ics-attack/relationship/relationship--3731962f-64e7-4750-ac8b-40b97eef8725.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--32cd6673-488f-4702-8faf-90928c32f2ab", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3731962f-64e7-4750-ac8b-40b97eef8725", + "created": "2023-09-29T16:41:15.943Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:41:15.943Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--374837a0-6109-4c95-bee6-893b25ac71cf.json b/ics-attack/relationship/relationship--374837a0-6109-4c95-bee6-893b25ac71cf.json new file mode 100644 index 0000000000..dcbc163a1b --- /dev/null +++ b/ics-attack/relationship/relationship--374837a0-6109-4c95-bee6-893b25ac71cf.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--73f6be44-2a36-42cd-8eaa-0d4b72f1a27a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--374837a0-6109-4c95-bee6-893b25ac71cf", + "created": "2023-09-28T21:13:12.715Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:13:12.715Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4.json b/ics-attack/relationship/relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4.json index 8cf9d1b716..c4dbbcd864 100644 --- a/ics-attack/relationship/relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4.json +++ b/ics-attack/relationship/relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--80ac742d-9d1a-4b45-bf6f-0bd6f85073dd", + "id": "bundle--ee46f155-b3a0-4b7e-bb79-ecbe024ef499", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--37abb3d5-24fc-4397-844e-07548d324729.json b/ics-attack/relationship/relationship--37abb3d5-24fc-4397-844e-07548d324729.json index ff57f3ea7b..214c05b388 100644 --- a/ics-attack/relationship/relationship--37abb3d5-24fc-4397-844e-07548d324729.json +++ b/ics-attack/relationship/relationship--37abb3d5-24fc-4397-844e-07548d324729.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--86422cec-a6e6-4119-ada9-625632b68659", + "id": "bundle--ad118399-a8ac-44c1-9b47-f10cd7abf029", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2.json b/ics-attack/relationship/relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2.json new file mode 100644 index 0000000000..7960145e40 --- /dev/null +++ b/ics-attack/relationship/relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--10e842ee-cc59-459b-9f48-0fa81541bbaf", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--37aeaf27-6bbe-4949-ba77-37649e38f8b2", + "created": "2023-09-29T16:31:46.749Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:31:46.749Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--383e242a-72d4-4b40-8905-888595c34919.json b/ics-attack/relationship/relationship--383e242a-72d4-4b40-8905-888595c34919.json index 21e58c7a46..71adaa475f 100644 --- a/ics-attack/relationship/relationship--383e242a-72d4-4b40-8905-888595c34919.json +++ b/ics-attack/relationship/relationship--383e242a-72d4-4b40-8905-888595c34919.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3ca73505-5985-4162-970d-fb9bf3bc46a3", + "id": "bundle--9cb3e1fb-c052-469f-9041-27d1c3618311", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3843dcca-62a2-4224-9241-05f981fa880a.json b/ics-attack/relationship/relationship--3843dcca-62a2-4224-9241-05f981fa880a.json new file mode 100644 index 0000000000..3a33ab82bd --- /dev/null +++ b/ics-attack/relationship/relationship--3843dcca-62a2-4224-9241-05f981fa880a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--173d3f58-b0a0-4f41-9362-15d2c33011a0", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3843dcca-62a2-4224-9241-05f981fa880a", + "created": "2023-09-28T19:46:23.921Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:46:23.921Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f.json b/ics-attack/relationship/relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f.json index ebf6df9df3..feec428195 100644 --- a/ics-attack/relationship/relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f.json +++ b/ics-attack/relationship/relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--00e13e52-a92d-46aa-9eb2-75c432bbd1be", + "id": "bundle--852096a3-4c29-45c8-a166-29e83a65835c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--38bda770-c470-4358-a9ad-a5b39bec026b.json b/ics-attack/relationship/relationship--38bda770-c470-4358-a9ad-a5b39bec026b.json new file mode 100644 index 0000000000..3a4bed4d4f --- /dev/null +++ b/ics-attack/relationship/relationship--38bda770-c470-4358-a9ad-a5b39bec026b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f605299a-66de-46a3-9ded-037b02b0294f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--38bda770-c470-4358-a9ad-a5b39bec026b", + "created": "2023-09-29T16:28:28.550Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:28:28.550Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--39452123-574f-4f3a-95ec-a90170a3d7eb.json b/ics-attack/relationship/relationship--39452123-574f-4f3a-95ec-a90170a3d7eb.json new file mode 100644 index 0000000000..5ecc40906e --- /dev/null +++ b/ics-attack/relationship/relationship--39452123-574f-4f3a-95ec-a90170a3d7eb.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--5b502ccf-1714-44dd-b97a-96f10c60d605", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--39452123-574f-4f3a-95ec-a90170a3d7eb", + "created": "2023-10-02T20:20:44.850Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:20:44.850Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--399126a9-815d-4c3b-9d5e-f57d698ac742.json b/ics-attack/relationship/relationship--399126a9-815d-4c3b-9d5e-f57d698ac742.json new file mode 100644 index 0000000000..7b81debe18 --- /dev/null +++ b/ics-attack/relationship/relationship--399126a9-815d-4c3b-9d5e-f57d698ac742.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--6076f078-9384-4d5c-8ab9-3b6755d4e212", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--399126a9-815d-4c3b-9d5e-f57d698ac742", + "created": "2023-09-28T19:40:36.023Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:40:36.023Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--39963a04-9675-4fa4-87ea-1b34145cc569.json b/ics-attack/relationship/relationship--39963a04-9675-4fa4-87ea-1b34145cc569.json index ef5dec376a..72e904a2ab 100644 --- a/ics-attack/relationship/relationship--39963a04-9675-4fa4-87ea-1b34145cc569.json +++ b/ics-attack/relationship/relationship--39963a04-9675-4fa4-87ea-1b34145cc569.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4e63981a-e122-48cd-ab43-a6861d7b80e3", + "id": "bundle--e76908ee-081d-43c8-8f20-a321373db565", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--39e5a489-f557-4130-a285-e0a82f40685c.json b/ics-attack/relationship/relationship--39e5a489-f557-4130-a285-e0a82f40685c.json new file mode 100644 index 0000000000..4641bf111f --- /dev/null +++ b/ics-attack/relationship/relationship--39e5a489-f557-4130-a285-e0a82f40685c.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3fc4c8ca-6fc7-41f8-afc7-de56ea02da44", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--39e5a489-f557-4130-a285-e0a82f40685c", + "created": "2023-09-28T19:46:38.112Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:46:38.112Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584.json b/ics-attack/relationship/relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584.json new file mode 100644 index 0000000000..af18a59afb --- /dev/null +++ b/ics-attack/relationship/relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f45f58e9-f9b7-4817-9faa-e44f38106da8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--39f785a8-4175-4d3c-ba64-e20ad4bc2584", + "created": "2023-09-28T19:40:21.763Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:40:21.763Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974.json b/ics-attack/relationship/relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974.json new file mode 100644 index 0000000000..6a7e1e087e --- /dev/null +++ b/ics-attack/relationship/relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8d80a3c9-c176-4da4-a6b7-62e37087f96e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3a20ed21-5e69-4a16-a0e3-bace3eba9974", + "created": "2023-09-29T18:56:47.109Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:56:47.110Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json b/ics-attack/relationship/relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json index 24ebeab0ea..71244684e3 100644 --- a/ics-attack/relationship/relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json +++ b/ics-attack/relationship/relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8082053a-7b34-4efe-842c-9b93900dac5a", + "id": "bundle--7abaec2b-86cf-4366-a8d4-f357438b730f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca.json b/ics-attack/relationship/relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca.json new file mode 100644 index 0000000000..700a4512f6 --- /dev/null +++ b/ics-attack/relationship/relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--60396cd6-9d42-477f-b0a2-51ca3780ad46", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3a76a181-8706-4bc4-9c66-7e809fec44ca", + "created": "2023-09-28T19:44:37.687Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:44:37.687Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3a7d1db3-9383-4171-8938-382e9b0375c6.json b/ics-attack/relationship/relationship--3a7d1db3-9383-4171-8938-382e9b0375c6.json index 80b635ee44..ad49fc6309 100644 --- a/ics-attack/relationship/relationship--3a7d1db3-9383-4171-8938-382e9b0375c6.json +++ b/ics-attack/relationship/relationship--3a7d1db3-9383-4171-8938-382e9b0375c6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2701f7e2-4c66-41c6-8a91-9c86532ecbca", + "id": "bundle--7aa11704-1599-465a-bce6-f0a5c56b86c7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea.json b/ics-attack/relationship/relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea.json new file mode 100644 index 0000000000..92ba845e52 --- /dev/null +++ b/ics-attack/relationship/relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--704d9b9f-7939-44ec-ae82-3bc7058df2f5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3aa2691d-d88d-4467-ae3e-242b3bac22ea", + "created": "2023-09-28T21:15:18.036Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:15:18.036Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee.json b/ics-attack/relationship/relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee.json index e6305910dd..973582dd27 100644 --- a/ics-attack/relationship/relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee.json +++ b/ics-attack/relationship/relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b0a4706b-bf47-41eb-b4a3-8f798b82f2f5", + "id": "bundle--e6e9b251-58ba-4a6b-b75c-df8bdc657d41", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json b/ics-attack/relationship/relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json index 749e082be2..ddd3ea782e 100644 --- a/ics-attack/relationship/relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json +++ b/ics-attack/relationship/relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3c6d0c32-e3a9-43d4-b4e4-12661f9d13d9", + "id": "bundle--d33e1ee9-35e3-4ea2-838d-ea1902dfd4d4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35.json b/ics-attack/relationship/relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35.json new file mode 100644 index 0000000000..acf331427e --- /dev/null +++ b/ics-attack/relationship/relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3ea03d52-1c9c-46c8-a588-e853e01d3e67", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3ad966be-8cb2-42e6-b696-ef9e3b512e35", + "created": "2023-09-28T19:43:15.817Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:43:15.817Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3b6567a9-6213-4db4-a069-1a86b1098b63.json b/ics-attack/relationship/relationship--3b6567a9-6213-4db4-a069-1a86b1098b63.json index 3034fc2aa3..c25223d934 100644 --- a/ics-attack/relationship/relationship--3b6567a9-6213-4db4-a069-1a86b1098b63.json +++ b/ics-attack/relationship/relationship--3b6567a9-6213-4db4-a069-1a86b1098b63.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cc2ac409-0656-4297-9740-59b8a5148723", + "id": "bundle--1ee40e6f-fb59-4d0d-b5f1-62efe6211afb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688.json b/ics-attack/relationship/relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688.json new file mode 100644 index 0000000000..77d6320193 --- /dev/null +++ b/ics-attack/relationship/relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--58acfa4f-7864-40a7-857c-c78e6e70a44b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3b7f39cb-0101-49b0-ab02-a5adb1672688", + "created": "2023-09-28T19:53:33.603Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:53:33.603Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2.json b/ics-attack/relationship/relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2.json new file mode 100644 index 0000000000..c99bafe255 --- /dev/null +++ b/ics-attack/relationship/relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b514cff2-93a8-484e-8a62-62c52a5061cc", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3bc61c8f-3d04-40bd-8239-a15913056bb2", + "created": "2023-10-02T20:22:15.907Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:22:15.908Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0.json b/ics-attack/relationship/relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0.json index b28c07dfdd..dec0ab9194 100644 --- a/ics-attack/relationship/relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0.json +++ b/ics-attack/relationship/relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--131ebdef-1604-406f-a112-e62b9f3df66b", + "id": "bundle--b59dbe8d-f2a6-48a8-a1a5-7cf4285a1104", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343.json b/ics-attack/relationship/relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343.json index 2b4eb9f506..7e9e533f54 100644 --- a/ics-attack/relationship/relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343.json +++ b/ics-attack/relationship/relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2ca9c23a-5d59-4fbc-825f-f3ddc54ccac5", + "id": "bundle--ce8821c1-d9e8-4d05-a57f-00d7c10dafef", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35.json b/ics-attack/relationship/relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35.json index ffa42b1f47..1d9be80ae4 100644 --- a/ics-attack/relationship/relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35.json +++ b/ics-attack/relationship/relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--453f8d41-cc16-415a-aa4e-38bd8cec17a3", + "id": "bundle--e15a77a4-3665-4f85-bf30-b6e9070e1025", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3c341d13-938e-4535-ac75-10a79abc7017.json b/ics-attack/relationship/relationship--3c341d13-938e-4535-ac75-10a79abc7017.json index df45c3fde7..571b81236c 100644 --- a/ics-attack/relationship/relationship--3c341d13-938e-4535-ac75-10a79abc7017.json +++ b/ics-attack/relationship/relationship--3c341d13-938e-4535-ac75-10a79abc7017.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--77d51877-0e1b-4ef0-868b-0e27016d1bc1", + "id": "bundle--67957e13-f7df-47f3-a1c3-73c3073409b2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1.json b/ics-attack/relationship/relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1.json index fac41a2114..f9f8a342af 100644 --- a/ics-attack/relationship/relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1.json +++ b/ics-attack/relationship/relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a4a1fd58-69e2-4ff2-a59e-6aff2646b701", + "id": "bundle--69d114ef-af6d-4727-896f-9d181c73a026", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json b/ics-attack/relationship/relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json index da0331eb69..3500320516 100644 --- a/ics-attack/relationship/relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json +++ b/ics-attack/relationship/relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e97710bf-2832-4609-bcde-9f2bdc2d7025", + "id": "bundle--ab621ce6-c151-4a72-ae60-9ca0bd67e306", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529.json b/ics-attack/relationship/relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529.json index 7347540b5a..eb2c45f163 100644 --- a/ics-attack/relationship/relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529.json +++ b/ics-attack/relationship/relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0d188a01-3410-4b13-a953-736ee98dce1e", + "id": "bundle--560a19d9-8a03-4b34-a446-ac2658c682c4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a.json b/ics-attack/relationship/relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a.json new file mode 100644 index 0000000000..f021ededac --- /dev/null +++ b/ics-attack/relationship/relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--340673ec-2ea4-4859-a5b0-168788f19486", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3d3c5d24-be5c-42e8-98ca-3b04382df39a", + "created": "2023-09-28T21:26:11.506Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:26:11.506Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83.json b/ics-attack/relationship/relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83.json index 4f13f01152..ff35e9ffd0 100644 --- a/ics-attack/relationship/relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83.json +++ b/ics-attack/relationship/relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--44b1c5c6-0295-4a18-a43a-50a15429db05", + "id": "bundle--55b8a0de-dfe3-4b07-a544-4967fdfeef63", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3d676c1b-2650-4599-8a57-790c55f9977d.json b/ics-attack/relationship/relationship--3d676c1b-2650-4599-8a57-790c55f9977d.json index fed1518c98..89d0b30d92 100644 --- a/ics-attack/relationship/relationship--3d676c1b-2650-4599-8a57-790c55f9977d.json +++ b/ics-attack/relationship/relationship--3d676c1b-2650-4599-8a57-790c55f9977d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0c965b03-cfe0-4dea-9617-95424a6b39c5", + "id": "bundle--9ad27f6b-1625-4061-8bdb-3f18b51f9193", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3da977ab-c863-4e6f-a5b7-68173160da00.json b/ics-attack/relationship/relationship--3da977ab-c863-4e6f-a5b7-68173160da00.json index 85216643d0..ac4c513d68 100644 --- a/ics-attack/relationship/relationship--3da977ab-c863-4e6f-a5b7-68173160da00.json +++ b/ics-attack/relationship/relationship--3da977ab-c863-4e6f-a5b7-68173160da00.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--470a136b-1834-44d0-83cb-b3d37e61702d", + "id": "bundle--750932db-d0a9-4cd5-94c2-632bc291578f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d.json b/ics-attack/relationship/relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d.json index 8b371433ed..44a1f55b3d 100644 --- a/ics-attack/relationship/relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d.json +++ b/ics-attack/relationship/relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7380dded-d471-44b9-b535-dd2f53d65c0d", + "id": "bundle--e854baeb-8705-4112-9dc8-97cfc28de239", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5.json b/ics-attack/relationship/relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5.json new file mode 100644 index 0000000000..fa3a4e007b --- /dev/null +++ b/ics-attack/relationship/relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--47d37db9-8629-4514-8a22-8da6e7228170", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3dd15958-b159-4d01-b3c2-37bdf9b417b5", + "created": "2023-09-29T17:05:08.346Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:05:08.346Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1.json b/ics-attack/relationship/relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1.json new file mode 100644 index 0000000000..34c1510b66 --- /dev/null +++ b/ics-attack/relationship/relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--0d92daf0-691d-442a-ac56-294d60f08f5b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3dd35c9a-146d-4370-80ac-69fed35d81a1", + "created": "2023-09-29T16:44:16.391Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:44:16.391Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14.json b/ics-attack/relationship/relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14.json index 2b27552977..fa66ebf7ed 100644 --- a/ics-attack/relationship/relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14.json +++ b/ics-attack/relationship/relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4da992b8-5217-4542-bb99-4533d84568ef", + "id": "bundle--accd347b-bd16-45ff-a04e-be9690a0b4fb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41.json b/ics-attack/relationship/relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41.json index ccbd806026..29760a294b 100644 --- a/ics-attack/relationship/relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41.json +++ b/ics-attack/relationship/relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6bee2344-6b52-4e33-9865-f458b3710995", + "id": "bundle--6d9ede4c-dcc6-474d-a15a-e76b8d163914", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3ed98d8c-de30-499e-9a62-eae0207519f4.json b/ics-attack/relationship/relationship--3ed98d8c-de30-499e-9a62-eae0207519f4.json index e27a806343..f3efb3a490 100644 --- a/ics-attack/relationship/relationship--3ed98d8c-de30-499e-9a62-eae0207519f4.json +++ b/ics-attack/relationship/relationship--3ed98d8c-de30-499e-9a62-eae0207519f4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b0bca1d2-605a-4aa5-baf2-f7a44b28af26", + "id": "bundle--0ef07d29-bc97-4432-ac3e-2662cd0a0979", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9.json b/ics-attack/relationship/relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9.json new file mode 100644 index 0000000000..529765419b --- /dev/null +++ b/ics-attack/relationship/relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1a1e27c5-0cfa-42b3-9d25-38fa3d2a0a75", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3f07067f-0cbc-489c-8722-a33399ebd4f9", + "created": "2023-09-29T17:39:42.457Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:39:42.457Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6.json b/ics-attack/relationship/relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6.json index 5385d01711..4dfd4185c2 100644 --- a/ics-attack/relationship/relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6.json +++ b/ics-attack/relationship/relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b429dbfc-63e6-4180-9a52-9ef549ec8f7f", + "id": "bundle--62fba9c2-1951-4e72-bf5c-34dba2eb76c9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8.json b/ics-attack/relationship/relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8.json index 0f35a03672..8d24517936 100644 --- a/ics-attack/relationship/relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8.json +++ b/ics-attack/relationship/relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f30530b8-2f95-47c9-9e85-60b23a563731", + "id": "bundle--f57e011e-2b23-431f-9412-eb5246f2a222", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572.json b/ics-attack/relationship/relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572.json index 5e1acf901e..2908731b7c 100644 --- a/ics-attack/relationship/relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572.json +++ b/ics-attack/relationship/relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--de4dc38d-1b18-4ca5-bbba-53e0dde74991", + "id": "bundle--faf51841-797d-4945-9741-6d707bf11bf6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe.json b/ics-attack/relationship/relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe.json new file mode 100644 index 0000000000..10196b4756 --- /dev/null +++ b/ics-attack/relationship/relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--69f9b4e0-7706-417d-8fb5-fb64df1032b2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3f92c11b-f6e2-4c07-9913-9fa7469ba4fe", + "created": "2023-09-28T21:17:18.201Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:17:18.201Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3fb86696-1d56-42d5-a73d-044a78b588fe.json b/ics-attack/relationship/relationship--3fb86696-1d56-42d5-a73d-044a78b588fe.json new file mode 100644 index 0000000000..e5bbb04f96 --- /dev/null +++ b/ics-attack/relationship/relationship--3fb86696-1d56-42d5-a73d-044a78b588fe.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--d713ff4b-8388-4349-8a8b-f985dd9ad5ff", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3fb86696-1d56-42d5-a73d-044a78b588fe", + "created": "2023-09-27T14:54:12.586Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-27T15:19:28.937Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the serial-to-ethernet converter firmware, rendering the devices not operational. This meant that communication to the downstream serial devices was either not possible or more difficult. (Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa.json b/ics-attack/relationship/relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa.json new file mode 100644 index 0000000000..1e8ca33cd1 --- /dev/null +++ b/ics-attack/relationship/relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--858ee28a-f775-47a0-8e01-03fae020e1fb", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--3fe69c6d-6722-44ad-bab7-e34981d68daa", + "created": "2023-09-28T20:27:43.727Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:27:43.727Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542.json b/ics-attack/relationship/relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542.json new file mode 100644 index 0000000000..4c0fdb4a92 --- /dev/null +++ b/ics-attack/relationship/relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--295c78ca-0d89-46f4-aa7d-0a05e99af900", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4011b9e8-317f-40b9-bd3c-3fb1e99c6542", + "created": "2023-09-29T18:57:32.665Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:57:32.665Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json b/ics-attack/relationship/relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json index 6cc6706966..3bd33f66d4 100644 --- a/ics-attack/relationship/relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json +++ b/ics-attack/relationship/relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3654a248-e46d-422b-bd2d-9327ca62540b", + "id": "bundle--f041bf04-33e5-4cff-b158-439c96c2f2ef", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4.json b/ics-attack/relationship/relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4.json new file mode 100644 index 0000000000..15a0c1b217 --- /dev/null +++ b/ics-attack/relationship/relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ad0d6fe0-b585-43ab-89fe-d87630664860", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4059da6f-b52b-4265-8bf9-3ad6154dbde4", + "created": "2023-09-29T18:05:42.611Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:05:42.611Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--40f63b01-dc59-475d-826a-74f38c6e81b9.json b/ics-attack/relationship/relationship--40f63b01-dc59-475d-826a-74f38c6e81b9.json index 9c85f4c386..7341987356 100644 --- a/ics-attack/relationship/relationship--40f63b01-dc59-475d-826a-74f38c6e81b9.json +++ b/ics-attack/relationship/relationship--40f63b01-dc59-475d-826a-74f38c6e81b9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0bcf783f-51e4-47b3-987a-a97ec1937f66", + "id": "bundle--946a797b-b6c1-4859-a6c8-f65b8a039857", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db.json b/ics-attack/relationship/relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db.json new file mode 100644 index 0000000000..9a212ba977 --- /dev/null +++ b/ics-attack/relationship/relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--bb3b5f7e-a852-4cd0-9bc6-015dbf5c85d4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--413c1c41-6ef9-413b-a75a-e67f1668b3db", + "created": "2023-09-29T17:04:46.290Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:04:46.290Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json b/ics-attack/relationship/relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json index 6c7f82ce7f..6784df518c 100644 --- a/ics-attack/relationship/relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json +++ b/ics-attack/relationship/relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1435b72d-d939-43d7-803a-fd095c44c4a5", + "id": "bundle--acccbebb-152e-411f-97a1-994f48f342d7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22.json b/ics-attack/relationship/relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22.json index 5a91e3827c..c51c51b202 100644 --- a/ics-attack/relationship/relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22.json +++ b/ics-attack/relationship/relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5927fccd-1c2c-4fb3-ba41-5c48f722c521", + "id": "bundle--e19def05-1beb-40fd-bb59-fb63a23dcc37", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d.json b/ics-attack/relationship/relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d.json new file mode 100644 index 0000000000..7972fad3d1 --- /dev/null +++ b/ics-attack/relationship/relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--67071ebc-56df-4d36-9fe2-9e3cd012fdb7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--41dbf626-b968-4b51-9f7d-aaea14d39b4d", + "created": "2023-09-28T19:58:43.542Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:58:43.542Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--41ff63a3-ddb9-47fb-8d92-bed74ed0d41d.json b/ics-attack/relationship/relationship--41ff63a3-ddb9-47fb-8d92-bed74ed0d41d.json deleted file mode 100644 index 632f95215f..0000000000 --- a/ics-attack/relationship/relationship--41ff63a3-ddb9-47fb-8d92-bed74ed0d41d.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--f7edc969-bfd5-4010-b70e-905579264d96", - "spec_version": "2.0", - "objects": [ - { - "type": "relationship", - "id": "relationship--41ff63a3-ddb9-47fb-8d92-bed74ed0d41d", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:55:23.567Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked reporting messages by using malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - } - ] -} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34.json b/ics-attack/relationship/relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34.json index ecfffa1884..2fcae3a1f8 100644 --- a/ics-attack/relationship/relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34.json +++ b/ics-attack/relationship/relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ccd1b795-5ec4-4030-ade2-4c981c221fcc", + "id": "bundle--41a65e85-fe56-4375-a7fa-d173f28a1749", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--423271c0-04dc-42d0-8e27-fb0b6067e096.json b/ics-attack/relationship/relationship--423271c0-04dc-42d0-8e27-fb0b6067e096.json new file mode 100644 index 0000000000..fe88e71c1b --- /dev/null +++ b/ics-attack/relationship/relationship--423271c0-04dc-42d0-8e27-fb0b6067e096.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--83e27dd6-7acb-424b-965a-2fb0fec38759", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--423271c0-04dc-42d0-8e27-fb0b6067e096", + "created": "2023-09-27T14:59:43.382Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + }, + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.259Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), power breakers were opened which caused the operating companies to be unable to deliver power, and left thousands of businesses and households without power for around 6 hours. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--42508a8e-44d5-4af1-9e66-bace5fc94734.json b/ics-attack/relationship/relationship--42508a8e-44d5-4af1-9e66-bace5fc94734.json index a8de5c17eb..0f04bca40d 100644 --- a/ics-attack/relationship/relationship--42508a8e-44d5-4af1-9e66-bace5fc94734.json +++ b/ics-attack/relationship/relationship--42508a8e-44d5-4af1-9e66-bace5fc94734.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c8f36ade-0ebe-4da4-b024-75f09163f05e", + "id": "bundle--021d8346-127b-4f3c-8423-718fae251596", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json b/ics-attack/relationship/relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json index f95d27d94d..21a96aad4e 100644 --- a/ics-attack/relationship/relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json +++ b/ics-attack/relationship/relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--75b46156-a253-43aa-8c2f-da80fb2ed9f2", + "id": "bundle--1afbf1ba-b03e-4952-b369-4e7d48e5a3c2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json b/ics-attack/relationship/relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json index 63cedb0a6a..52a9cb2a7d 100644 --- a/ics-attack/relationship/relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json +++ b/ics-attack/relationship/relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e815df79-19d8-464c-9416-dde501ba3850", + "id": "bundle--5e8571d7-2655-4c3d-b56f-61f8036d00b5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b.json b/ics-attack/relationship/relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b.json new file mode 100644 index 0000000000..e7b75d2118 --- /dev/null +++ b/ics-attack/relationship/relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d12d06f2-475c-4a76-ab0a-1d679274c370", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--432b2dc0-52ff-488f-a5e9-c1e510fc7a0b", + "created": "2023-09-28T19:58:54.450Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:58:54.450Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--43344cd7-5004-4dac-8b62-8899105fa265.json b/ics-attack/relationship/relationship--43344cd7-5004-4dac-8b62-8899105fa265.json new file mode 100644 index 0000000000..9704f5cf7f --- /dev/null +++ b/ics-attack/relationship/relationship--43344cd7-5004-4dac-8b62-8899105fa265.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c8b1bfa9-550a-4b92-ab9f-1e817a520154", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--43344cd7-5004-4dac-8b62-8899105fa265", + "created": "2023-09-29T18:47:20.334Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:47:20.334Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--433539bf-cb17-4de1-9c0f-e579b041514f.json b/ics-attack/relationship/relationship--433539bf-cb17-4de1-9c0f-e579b041514f.json index e5d55a080b..d269d4b3dc 100644 --- a/ics-attack/relationship/relationship--433539bf-cb17-4de1-9c0f-e579b041514f.json +++ b/ics-attack/relationship/relationship--433539bf-cb17-4de1-9c0f-e579b041514f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4aaf3009-7e1e-41b0-a3dd-ffef005eb56e", + "id": "bundle--6c00a0da-f592-4f86-affa-9e3e1106fcb3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4369da69-bb09-4cc8-8600-081a450f50e0.json b/ics-attack/relationship/relationship--4369da69-bb09-4cc8-8600-081a450f50e0.json index cc58db97e5..18913582de 100644 --- a/ics-attack/relationship/relationship--4369da69-bb09-4cc8-8600-081a450f50e0.json +++ b/ics-attack/relationship/relationship--4369da69-bb09-4cc8-8600-081a450f50e0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f52d9b13-c70d-404b-8dfc-352236027d2e", + "id": "bundle--b5a62645-807c-48e2-9ca2-0ccfd214a2b5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b.json b/ics-attack/relationship/relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b.json index 06e283c04a..3337da8bd0 100644 --- a/ics-attack/relationship/relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b.json +++ b/ics-attack/relationship/relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--babccf2c-48b1-48db-83d4-2e4722876c5b", + "id": "bundle--95cb142c-4df6-4f30-b43a-0fa75796ed68", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--43bdf580-b98f-49cf-92d5-3dac50450c86.json b/ics-attack/relationship/relationship--43bdf580-b98f-49cf-92d5-3dac50450c86.json index fbbb0f34cc..2825a22667 100644 --- a/ics-attack/relationship/relationship--43bdf580-b98f-49cf-92d5-3dac50450c86.json +++ b/ics-attack/relationship/relationship--43bdf580-b98f-49cf-92d5-3dac50450c86.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a89f1253-9028-44da-b58c-ad49d0eedef5", + "id": "bundle--3c4a97c0-2e4e-4239-8172-5ff9e60443e4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de.json b/ics-attack/relationship/relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de.json index df86d8cc79..5cc13d84d6 100644 --- a/ics-attack/relationship/relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de.json +++ b/ics-attack/relationship/relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--073a3424-83f7-4996-b952-a0492f56603f", + "id": "bundle--a511fe44-453f-47f4-90bf-0cab0cdcf815", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b.json b/ics-attack/relationship/relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b.json index a55c0c7ff9..85aeedaeff 100644 --- a/ics-attack/relationship/relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b.json +++ b/ics-attack/relationship/relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--11a6fd2e-c809-40a9-83b2-cb91a7185b91", + "id": "bundle--8d340ba6-6a8c-4eeb-a649-1c863f44f916", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--44c857cf-7a4e-405a-87ca-7f6d79000589.json b/ics-attack/relationship/relationship--44c857cf-7a4e-405a-87ca-7f6d79000589.json index 4ee0d77e59..f01d00fe41 100644 --- a/ics-attack/relationship/relationship--44c857cf-7a4e-405a-87ca-7f6d79000589.json +++ b/ics-attack/relationship/relationship--44c857cf-7a4e-405a-87ca-7f6d79000589.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--584d90c6-1168-489b-8aa5-954b8c258ea3", + "id": "bundle--f1944d25-1faa-4fc8-8769-35c19c055887", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4508bdef-9528-47ae-804c-bc59d1e694e7.json b/ics-attack/relationship/relationship--4508bdef-9528-47ae-804c-bc59d1e694e7.json new file mode 100644 index 0000000000..e6b44ef603 --- /dev/null +++ b/ics-attack/relationship/relationship--4508bdef-9528-47ae-804c-bc59d1e694e7.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--7da4d18d-8b49-4a60-bb49-d61c5ae35cb1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4508bdef-9528-47ae-804c-bc59d1e694e7", + "created": "2023-09-28T20:02:35.354Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:02:35.354Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--456ff399-4925-45d4-aa84-d930eae5348e.json b/ics-attack/relationship/relationship--456ff399-4925-45d4-aa84-d930eae5348e.json new file mode 100644 index 0000000000..efd987e963 --- /dev/null +++ b/ics-attack/relationship/relationship--456ff399-4925-45d4-aa84-d930eae5348e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--5ec1ac22-9698-457c-8288-325bed5ad4df", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--456ff399-4925-45d4-aa84-d930eae5348e", + "created": "2023-09-28T20:26:47.786Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:26:47.786Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f.json b/ics-attack/relationship/relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f.json new file mode 100644 index 0000000000..db686bcdc5 --- /dev/null +++ b/ics-attack/relationship/relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f7cf7852-43c5-4501-bfc7-fde72a630de1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--45aae58e-1d09-49de-b4c2-837c6f1d5d8f", + "created": "2023-10-02T20:22:02.539Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:22:02.539Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9.json b/ics-attack/relationship/relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9.json new file mode 100644 index 0000000000..831eda02cd --- /dev/null +++ b/ics-attack/relationship/relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--689e69d0-a801-4e7f-83e7-b4f59c51e254", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--45d14170-7f7b-4e08-b53f-42fa4a3a04d9", + "created": "2023-09-28T20:15:32.382Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:15:32.382Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--45ee1822-71e4-4d92-976d-306561b70555.json b/ics-attack/relationship/relationship--45ee1822-71e4-4d92-976d-306561b70555.json index f6bc353e05..6adc1c728e 100644 --- a/ics-attack/relationship/relationship--45ee1822-71e4-4d92-976d-306561b70555.json +++ b/ics-attack/relationship/relationship--45ee1822-71e4-4d92-976d-306561b70555.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eb476a5a-4af5-46a3-9d6c-c51d97ab16e3", + "id": "bundle--37577558-0c16-4c8f-b7c3-aa84f70e805f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json b/ics-attack/relationship/relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json index 117b9a2872..2d82e40370 100644 --- a/ics-attack/relationship/relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json +++ b/ics-attack/relationship/relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--811ea917-1079-4716-a063-387c2679372f", + "id": "bundle--bbe44318-f978-4200-bf96-9e1e68671060", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4631bf49-da0b-4415-a226-112c99ff0f64.json b/ics-attack/relationship/relationship--4631bf49-da0b-4415-a226-112c99ff0f64.json index 9cf4953dfd..c223279af5 100644 --- a/ics-attack/relationship/relationship--4631bf49-da0b-4415-a226-112c99ff0f64.json +++ b/ics-attack/relationship/relationship--4631bf49-da0b-4415-a226-112c99ff0f64.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2a0f68c2-9c08-4261-872a-77e6acfda536", + "id": "bundle--4130afe3-fd0b-4e09-ab8d-faa26a376d05", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--46332a77-2fd6-4033-96cf-6163172775ec.json b/ics-attack/relationship/relationship--46332a77-2fd6-4033-96cf-6163172775ec.json index 7e9fde292b..bdd4d3654d 100644 --- a/ics-attack/relationship/relationship--46332a77-2fd6-4033-96cf-6163172775ec.json +++ b/ics-attack/relationship/relationship--46332a77-2fd6-4033-96cf-6163172775ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a23adc31-3dd0-427c-999e-a7fb537980e7", + "id": "bundle--ea71875c-783d-4dbe-bd8f-40bd192cb2b3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4653847b-c089-4435-9159-6f76353833f7.json b/ics-attack/relationship/relationship--4653847b-c089-4435-9159-6f76353833f7.json new file mode 100644 index 0000000000..723c701c66 --- /dev/null +++ b/ics-attack/relationship/relationship--4653847b-c089-4435-9159-6f76353833f7.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1b91e8ff-5a46-4f32-85a8-74af64fb57e2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4653847b-c089-4435-9159-6f76353833f7", + "created": "2023-09-25T20:43:22.274Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:43:22.274Z", + "description": "All field controllers should restrict the modification of controller tasks to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf.json b/ics-attack/relationship/relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf.json new file mode 100644 index 0000000000..9850ba50ed --- /dev/null +++ b/ics-attack/relationship/relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--46422c1c-fc53-4c23-bb3f-3404ab6af363", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--46690df4-ddac-4ed4-8987-8706ae68a0cf", + "created": "2023-09-29T16:42:20.944Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:42:20.944Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--46798892-d849-43fe-8147-b40cc9da291e.json b/ics-attack/relationship/relationship--46798892-d849-43fe-8147-b40cc9da291e.json new file mode 100644 index 0000000000..b0d90610da --- /dev/null +++ b/ics-attack/relationship/relationship--46798892-d849-43fe-8147-b40cc9da291e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8ab1102f-a37d-4950-b570-29f0a6a6b8a7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--46798892-d849-43fe-8147-b40cc9da291e", + "created": "2023-09-28T19:42:29.359Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:42:29.359Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4.json b/ics-attack/relationship/relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4.json index 63ad20c48b..ac3c1fe31c 100644 --- a/ics-attack/relationship/relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4.json +++ b/ics-attack/relationship/relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ab8b2135-fd80-4890-8ca6-605d1b504816", + "id": "bundle--c09275f2-a1b2-4710-9c98-e9f0e6256355", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4768c731-3be9-44b8-a217-dfbececa57d9.json b/ics-attack/relationship/relationship--4768c731-3be9-44b8-a217-dfbececa57d9.json new file mode 100644 index 0000000000..c48e1febb5 --- /dev/null +++ b/ics-attack/relationship/relationship--4768c731-3be9-44b8-a217-dfbececa57d9.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ed2e9f4d-964b-42b2-b65a-2ce037434d06", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4768c731-3be9-44b8-a217-dfbececa57d9", + "created": "2023-09-29T18:06:22.868Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:06:22.868Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4.json b/ics-attack/relationship/relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4.json index 38182cf615..e8919a1bdc 100644 --- a/ics-attack/relationship/relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4.json +++ b/ics-attack/relationship/relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4a9d90e7-b6f1-4016-a951-ae4c99b4d69b", + "id": "bundle--faf598de-73d5-4ea3-90dd-c1d66f8b4f41", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--47f15a06-8675-4698-833d-bd141ed9e755.json b/ics-attack/relationship/relationship--47f15a06-8675-4698-833d-bd141ed9e755.json index 99e3ac37e9..cfb948e2a3 100644 --- a/ics-attack/relationship/relationship--47f15a06-8675-4698-833d-bd141ed9e755.json +++ b/ics-attack/relationship/relationship--47f15a06-8675-4698-833d-bd141ed9e755.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--60d3c10c-3c72-4ea9-9ada-01b973b1856b", + "id": "bundle--182c8dda-d8f4-454b-adbd-3e4533567f24", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--483719ad-c973-4210-b059-14e87dbd45f8.json b/ics-attack/relationship/relationship--483719ad-c973-4210-b059-14e87dbd45f8.json new file mode 100644 index 0000000000..d66006e8e6 --- /dev/null +++ b/ics-attack/relationship/relationship--483719ad-c973-4210-b059-14e87dbd45f8.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--85e7c930-761f-41d2-82bc-a62617e185cf", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--483719ad-c973-4210-b059-14e87dbd45f8", + "created": "2023-09-28T19:49:43.417Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:49:43.417Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--48489baf-56c2-423e-964a-0a61688e4a19.json b/ics-attack/relationship/relationship--48489baf-56c2-423e-964a-0a61688e4a19.json index 69a83b910a..7818072293 100644 --- a/ics-attack/relationship/relationship--48489baf-56c2-423e-964a-0a61688e4a19.json +++ b/ics-attack/relationship/relationship--48489baf-56c2-423e-964a-0a61688e4a19.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1c9c8cb5-ac88-4415-b0d0-9afe864fed1b", + "id": "bundle--36c790e7-9a29-4287-bd9d-fc013064a396", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3.json b/ics-attack/relationship/relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3.json index 5037f5f5b4..c41a993782 100644 --- a/ics-attack/relationship/relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3.json +++ b/ics-attack/relationship/relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e316004e-5fe8-43c0-a4bd-73f3d88b40d6", + "id": "bundle--ace61782-8f70-4eeb-bd57-8e51c653d400", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--49242ea8-4813-49f7-8bd4-9668216cceeb.json b/ics-attack/relationship/relationship--49242ea8-4813-49f7-8bd4-9668216cceeb.json new file mode 100644 index 0000000000..7dc6ac20e7 --- /dev/null +++ b/ics-attack/relationship/relationship--49242ea8-4813-49f7-8bd4-9668216cceeb.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4f574dbb-b1e6-4478-9ac4-18b07718435c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--49242ea8-4813-49f7-8bd4-9668216cceeb", + "created": "2023-09-29T16:45:53.300Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:45:53.300Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4966e63c-ca05-466d-91f9-41d799a54471.json b/ics-attack/relationship/relationship--4966e63c-ca05-466d-91f9-41d799a54471.json index eccfe7aa65..0efc114838 100644 --- a/ics-attack/relationship/relationship--4966e63c-ca05-466d-91f9-41d799a54471.json +++ b/ics-attack/relationship/relationship--4966e63c-ca05-466d-91f9-41d799a54471.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cefbde9a-d1be-4d48-b1af-be376869141c", + "id": "bundle--2cecf7da-04d2-4d88-af5b-4b96435285a2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4981a944-b3ad-4d78-9881-a17d458e3422.json b/ics-attack/relationship/relationship--4981a944-b3ad-4d78-9881-a17d458e3422.json new file mode 100644 index 0000000000..1710bd0501 --- /dev/null +++ b/ics-attack/relationship/relationship--4981a944-b3ad-4d78-9881-a17d458e3422.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f4a3c1e0-2615-4312-869f-4a7f482eadd8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4981a944-b3ad-4d78-9881-a17d458e3422", + "created": "2023-09-28T20:01:30.138Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:01:30.138Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8.json b/ics-attack/relationship/relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8.json index 0bb17d1575..647775c931 100644 --- a/ics-attack/relationship/relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8.json +++ b/ics-attack/relationship/relationship--49966e16-04a2-4fd7-86cd-aa934040a9d8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d0280a8f-6d2c-47cd-98cd-89c5aef49788", + "id": "bundle--d48278b0-40ae-4cf7-b0a4-5019c414987e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d.json b/ics-attack/relationship/relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d.json index b959c95932..3c8688ebb7 100644 --- a/ics-attack/relationship/relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d.json +++ b/ics-attack/relationship/relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e838347d-d347-4b6e-8a77-6bbf6bc85b54", + "id": "bundle--f070211a-5108-4220-8cdb-d635ba3f2cd9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2.json b/ics-attack/relationship/relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2.json index c3292a4b08..a89585c5b6 100644 --- a/ics-attack/relationship/relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2.json +++ b/ics-attack/relationship/relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bca46cf8-3058-43ce-b339-8c64cfd54770", + "id": "bundle--f2e38880-ef0c-46ca-9601-bbcc7b41082b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05.json b/ics-attack/relationship/relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05.json new file mode 100644 index 0000000000..5d56cf8109 --- /dev/null +++ b/ics-attack/relationship/relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a33978d8-4601-4673-a345-e1f4a0f3894e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4a641966-3cc8-4dd6-aa61-1a96cfff4a05", + "created": "2023-09-28T19:41:47.648Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:41:47.648Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4a7340fc-0eec-4459-a491-952d736b79ef.json b/ics-attack/relationship/relationship--4a7340fc-0eec-4459-a491-952d736b79ef.json new file mode 100644 index 0000000000..dfc679bb36 --- /dev/null +++ b/ics-attack/relationship/relationship--4a7340fc-0eec-4459-a491-952d736b79ef.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--bfdc933e-4c20-48c0-b58b-5de25851fb79", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4a7340fc-0eec-4459-a491-952d736b79ef", + "created": "2023-09-28T19:50:42.505Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:50:42.505Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198.json b/ics-attack/relationship/relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198.json new file mode 100644 index 0000000000..a19bd6bed4 --- /dev/null +++ b/ics-attack/relationship/relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--676d2450-5ed9-41aa-b6b1-949d189852cd", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4ad48410-efd9-41c0-ac59-e4343d3b9198", + "created": "2023-09-28T21:09:50.956Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:09:50.956Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4b57e41c-246f-44b3-b259-1811d5275e10.json b/ics-attack/relationship/relationship--4b57e41c-246f-44b3-b259-1811d5275e10.json index 40ed2062b5..9feb757854 100644 --- a/ics-attack/relationship/relationship--4b57e41c-246f-44b3-b259-1811d5275e10.json +++ b/ics-attack/relationship/relationship--4b57e41c-246f-44b3-b259-1811d5275e10.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a6bce792-0754-412f-bb5c-21c419a13fbb", + "id": "bundle--9b2ee2c3-5d7a-4b86-88c5-431b3d287d9f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596.json b/ics-attack/relationship/relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596.json new file mode 100644 index 0000000000..3121b1133c --- /dev/null +++ b/ics-attack/relationship/relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--50927a89-9371-4d35-8eb5-583a13ac9725", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4b6a964f-af5c-4ec2-a309-c1ae6b929596", + "created": "2023-09-28T21:24:51.818Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:24:51.818Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4b853b7c-bc55-4599-b88d-d08d651526c0.json b/ics-attack/relationship/relationship--4b853b7c-bc55-4599-b88d-d08d651526c0.json new file mode 100644 index 0000000000..aa43bb1da0 --- /dev/null +++ b/ics-attack/relationship/relationship--4b853b7c-bc55-4599-b88d-d08d651526c0.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--716ec946-2544-43f0-a8c3-9ea20706abe7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4b853b7c-bc55-4599-b88d-d08d651526c0", + "created": "2023-09-29T18:49:25.209Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:49:25.209Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e.json b/ics-attack/relationship/relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e.json index 2868437483..eaa5867f96 100644 --- a/ics-attack/relationship/relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e.json +++ b/ics-attack/relationship/relationship--4b98b72c-a093-4917-a21b-a0b4f388e98e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0e0f5681-a9cb-41c5-8ed0-1b0b3d8699e8", + "id": "bundle--2eeb5f71-cb84-468b-b90f-29788a8d92cb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12.json b/ics-attack/relationship/relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12.json new file mode 100644 index 0000000000..cde252cc55 --- /dev/null +++ b/ics-attack/relationship/relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a55fbbaf-84ed-415a-ac46-852d6e99e77d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4c1df272-9c2a-4647-8d05-3c0de1613e12", + "created": "2023-09-28T19:59:23.856Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:59:23.856Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962.json b/ics-attack/relationship/relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962.json new file mode 100644 index 0000000000..bc6e83c19f --- /dev/null +++ b/ics-attack/relationship/relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--70a94586-9db1-4bfa-bb8e-b1042c8b6368", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4c53b294-973f-4cc2-a781-6c86b8f1c962", + "created": "2023-09-28T21:23:14.975Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:23:14.975Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419.json b/ics-attack/relationship/relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419.json index 677da4eec6..35bac13899 100644 --- a/ics-attack/relationship/relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419.json +++ b/ics-attack/relationship/relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--65d63801-f291-4373-a5ba-311e1ca5a633", + "id": "bundle--9aa067da-9fbf-4401-aea9-6f9765ebf7bd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c.json b/ics-attack/relationship/relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c.json new file mode 100644 index 0000000000..ab97a0979b --- /dev/null +++ b/ics-attack/relationship/relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--b3a90bcd-b1ed-407c-b546-bc224f4770af", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4d407dda-944a-4974-b1c2-0a04d2c9ee4c", + "created": "2023-09-27T13:17:12.592Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Andy Greenberg June 2017", + "description": "Andy Greenberg. (2017, June 28). How an Entire Nation Became Russia's Test Lab for Cyberwar. Retrieved September 27, 2023.", + "url": "https://www.wired.com/story/russian-hackers-attack-ukraine/" + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-27T13:37:24.610Z", + "description": "(Citation: Andy Greenberg June 2017) (Citation: US District Court Indictment GRU Unit 74455 October 2020)", + "relationship_type": "attributed-to", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7.json b/ics-attack/relationship/relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7.json new file mode 100644 index 0000000000..6a4b1ee4e7 --- /dev/null +++ b/ics-attack/relationship/relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--6a596dab-6d87-4411-8a57-91648dc67be9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4d76274d-75bc-4cd0-be6a-3d5d99f73cb7", + "created": "2023-09-28T20:27:04.841Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:27:04.841Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4.json b/ics-attack/relationship/relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4.json new file mode 100644 index 0000000000..4cff161942 --- /dev/null +++ b/ics-attack/relationship/relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1a5e6bea-0e18-49c1-8958-8362edfb3159", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4d7eecfc-4dd6-470c-a604-4c8239ac2be4", + "created": "2023-09-28T21:28:11.821Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:28:11.821Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json b/ics-attack/relationship/relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json index 1661bbd36a..1dabde4de6 100644 --- a/ics-attack/relationship/relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json +++ b/ics-attack/relationship/relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f3c9d2cf-d814-44f5-bc5f-ecd5f4d1b033", + "id": "bundle--cebc8963-52fc-451e-8073-f96d6a3cb1c9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5.json b/ics-attack/relationship/relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5.json new file mode 100644 index 0000000000..8c44f2b786 --- /dev/null +++ b/ics-attack/relationship/relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f67b5278-6eec-4349-a79c-fd9130da9e1d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4f3a843b-18e7-46e8-8285-9102a2fe62e5", + "created": "2023-09-29T18:02:38.399Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:02:38.399Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93.json b/ics-attack/relationship/relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93.json new file mode 100644 index 0000000000..fa5ab858c7 --- /dev/null +++ b/ics-attack/relationship/relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8f12a61e-6823-427d-bfbb-32b8a13bce8f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4f4e2e9e-6f9a-4c9c-af2b-4db4ec444c93", + "created": "2023-09-29T17:57:55.162Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:57:55.162Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9.json b/ics-attack/relationship/relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9.json new file mode 100644 index 0000000000..4f114aede8 --- /dev/null +++ b/ics-attack/relationship/relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--fe0b0013-cd12-4e1f-bbbb-20d555bc123e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4f7cc4b9-fe3a-4883-97cc-4d2a44c55be9", + "created": "2023-09-28T20:09:53.108Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:09:53.108Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--4f83cc15-274d-44c6-859f-e598e362e76e.json b/ics-attack/relationship/relationship--4f83cc15-274d-44c6-859f-e598e362e76e.json new file mode 100644 index 0000000000..7be3a07e14 --- /dev/null +++ b/ics-attack/relationship/relationship--4f83cc15-274d-44c6-859f-e598e362e76e.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--26c54150-82d0-4b2c-9a4f-2d155027cfa5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--4f83cc15-274d-44c6-859f-e598e362e76e", + "created": "2023-09-27T14:55:55.381Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.260Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) opened live breakers via remote commands to the HMI, causing blackouts. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--502a0b7e-048a-468a-b888-e91fde47c6eb.json b/ics-attack/relationship/relationship--502a0b7e-048a-468a-b888-e91fde47c6eb.json index fc634a01af..bc20ff21fc 100644 --- a/ics-attack/relationship/relationship--502a0b7e-048a-468a-b888-e91fde47c6eb.json +++ b/ics-attack/relationship/relationship--502a0b7e-048a-468a-b888-e91fde47c6eb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b70850b3-e7a0-44b4-ad35-43c3e79967ad", + "id": "bundle--168b8636-c975-4dba-87c9-6369cfc1ebd2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29.json b/ics-attack/relationship/relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29.json new file mode 100644 index 0000000000..ce538221a8 --- /dev/null +++ b/ics-attack/relationship/relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ac5df4c8-14e0-4b6c-8684-566fe86f3cb7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--503c5256-b611-437e-a4ef-2ee1fd20ab29", + "created": "2023-09-29T18:03:06.209Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:03:06.209Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5041e17d-6349-4589-8c61-7b43964b5f9b.json b/ics-attack/relationship/relationship--5041e17d-6349-4589-8c61-7b43964b5f9b.json index 6fa47e6d38..9ed72b4d5f 100644 --- a/ics-attack/relationship/relationship--5041e17d-6349-4589-8c61-7b43964b5f9b.json +++ b/ics-attack/relationship/relationship--5041e17d-6349-4589-8c61-7b43964b5f9b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d157e5cd-fee5-414b-8c25-5a3bda166891", + "id": "bundle--8b7b0378-8eed-464a-8520-c5e5244635c1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--50a2b289-7bce-405d-8515-c2b5424cce5c.json b/ics-attack/relationship/relationship--50a2b289-7bce-405d-8515-c2b5424cce5c.json index 18d81a61af..7f61afccad 100644 --- a/ics-attack/relationship/relationship--50a2b289-7bce-405d-8515-c2b5424cce5c.json +++ b/ics-attack/relationship/relationship--50a2b289-7bce-405d-8515-c2b5424cce5c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4011968b-d816-4059-859a-0c81be78b1fb", + "id": "bundle--d6f1c17b-bbfb-46f1-b5ac-449acafa5469", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--50b3247a-ea71-455e-b299-f00666c05146.json b/ics-attack/relationship/relationship--50b3247a-ea71-455e-b299-f00666c05146.json index 4cab694970..8f0ab939e5 100644 --- a/ics-attack/relationship/relationship--50b3247a-ea71-455e-b299-f00666c05146.json +++ b/ics-attack/relationship/relationship--50b3247a-ea71-455e-b299-f00666c05146.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ed0a6021-c457-4294-8174-cb8e0102709b", + "id": "bundle--4afed792-bfbe-4c32-8be6-8da56edda3c0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--50c20664-75dc-451e-b026-67b1d309e4b5.json b/ics-attack/relationship/relationship--50c20664-75dc-451e-b026-67b1d309e4b5.json index b0b860bdc2..52066009f7 100644 --- a/ics-attack/relationship/relationship--50c20664-75dc-451e-b026-67b1d309e4b5.json +++ b/ics-attack/relationship/relationship--50c20664-75dc-451e-b026-67b1d309e4b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b0b82ddf-d492-4c9d-90c9-a5abc6e8d1d0", + "id": "bundle--c7bcdd0f-3622-4cf3-9dac-ff368d0e3a3f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5131c799-517c-4bad-ba97-46ad7de956e7.json b/ics-attack/relationship/relationship--5131c799-517c-4bad-ba97-46ad7de956e7.json new file mode 100644 index 0000000000..ad775d5d58 --- /dev/null +++ b/ics-attack/relationship/relationship--5131c799-517c-4bad-ba97-46ad7de956e7.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--363350f4-8a3f-4150-8862-1d37abfd7f45", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5131c799-517c-4bad-ba97-46ad7de956e7", + "created": "2023-09-28T21:17:06.233Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:17:06.233Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--51eb15a3-48af-470f-94c0-10f25b366d72.json b/ics-attack/relationship/relationship--51eb15a3-48af-470f-94c0-10f25b366d72.json index 8323419412..628d906c38 100644 --- a/ics-attack/relationship/relationship--51eb15a3-48af-470f-94c0-10f25b366d72.json +++ b/ics-attack/relationship/relationship--51eb15a3-48af-470f-94c0-10f25b366d72.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3a103f86-eac1-4fdc-aa23-86e1a1837b30", + "id": "bundle--d135d7fa-d52f-40b1-aae1-da5445ce2088", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639.json b/ics-attack/relationship/relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639.json index e1ed272504..88df74993a 100644 --- a/ics-attack/relationship/relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639.json +++ b/ics-attack/relationship/relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9d400ba9-307b-4468-8831-9e6b4d6c73c6", + "id": "bundle--70a8094b-c83a-4c83-b8d9-848ddda73b21", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59.json b/ics-attack/relationship/relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59.json index 2aac6d987d..b807b711a9 100644 --- a/ics-attack/relationship/relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59.json +++ b/ics-attack/relationship/relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--85c64cb3-e379-48ab-89c3-8a8189c79f86", + "id": "bundle--e7f7681f-811f-4dec-91b7-2d211fb60615", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4.json b/ics-attack/relationship/relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4.json index 05af9bc7f1..bd5fbb53cb 100644 --- a/ics-attack/relationship/relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4.json +++ b/ics-attack/relationship/relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--491d1039-56d2-4d1b-88eb-37e5fd89f3a6", + "id": "bundle--2d00a1a7-8c1c-460f-9333-e0d90eb3eca0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c.json b/ics-attack/relationship/relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c.json new file mode 100644 index 0000000000..6a593315cf --- /dev/null +++ b/ics-attack/relationship/relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--31751b82-cae2-41f0-8351-f6d7de3de1c2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5201c576-70a5-4b32-8dfd-dd8ac86f096c", + "created": "2023-09-29T16:40:18.760Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:40:18.760Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--520aad6a-2483-45bc-a172-2417137f6ca0.json b/ics-attack/relationship/relationship--520aad6a-2483-45bc-a172-2417137f6ca0.json index 2c03a26f3d..0242bd9f9d 100644 --- a/ics-attack/relationship/relationship--520aad6a-2483-45bc-a172-2417137f6ca0.json +++ b/ics-attack/relationship/relationship--520aad6a-2483-45bc-a172-2417137f6ca0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c55c6080-07ad-4ec5-b132-efa417e42438", + "id": "bundle--c13ba057-ce96-4230-be4c-dafe107401a3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5.json b/ics-attack/relationship/relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5.json index aea823f4f7..02e5fdf549 100644 --- a/ics-attack/relationship/relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5.json +++ b/ics-attack/relationship/relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f7a3c48a-a8bb-4de8-b6b5-473857b411c2", + "id": "bundle--16fd0768-659a-4d5f-b84e-2038272a0c6b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--523777f8-4780-4716-807c-08a67450b916.json b/ics-attack/relationship/relationship--523777f8-4780-4716-807c-08a67450b916.json new file mode 100644 index 0000000000..3ed62634fd --- /dev/null +++ b/ics-attack/relationship/relationship--523777f8-4780-4716-807c-08a67450b916.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e0057e91-f64a-4b7c-8231-d81ea72f83d5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--523777f8-4780-4716-807c-08a67450b916", + "created": "2023-09-29T18:45:13.052Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:45:13.052Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--524ffb0f-40ae-4c97-a098-d14001fffa31.json b/ics-attack/relationship/relationship--524ffb0f-40ae-4c97-a098-d14001fffa31.json new file mode 100644 index 0000000000..86cb9c78e9 --- /dev/null +++ b/ics-attack/relationship/relationship--524ffb0f-40ae-4c97-a098-d14001fffa31.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8fde1950-df5a-4aba-b45c-e07d4f9d6655", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--524ffb0f-40ae-4c97-a098-d14001fffa31", + "created": "2023-09-29T16:44:54.473Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:44:54.473Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--52855d5d-e835-470f-a675-751c2779c861.json b/ics-attack/relationship/relationship--52855d5d-e835-470f-a675-751c2779c861.json index 29ca700226..e7b99b8f8f 100644 --- a/ics-attack/relationship/relationship--52855d5d-e835-470f-a675-751c2779c861.json +++ b/ics-attack/relationship/relationship--52855d5d-e835-470f-a675-751c2779c861.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5ef5e184-185f-4c7a-8c19-1f08b2c08759", + "id": "bundle--96715e15-c9c3-42b3-81ad-741739a98f7b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b.json b/ics-attack/relationship/relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b.json new file mode 100644 index 0000000000..09a65319cc --- /dev/null +++ b/ics-attack/relationship/relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3ab93d9e-5fcd-4ba3-8d07-c8e6170457fd", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--52bfd00c-2e5b-4e43-bba6-f3b46e241d7b", + "created": "2023-09-28T21:23:26.598Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:23:26.598Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json b/ics-attack/relationship/relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json index 1fa9c6b7a3..3b50b0cae8 100644 --- a/ics-attack/relationship/relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json +++ b/ics-attack/relationship/relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aa7cae9d-5cd3-4a47-ae29-b57f01f50d9d", + "id": "bundle--4a045fe5-b445-4138-b72e-ba46307f4fc6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--52e828db-58d0-443e-8d94-54d265d9606e.json b/ics-attack/relationship/relationship--52e828db-58d0-443e-8d94-54d265d9606e.json new file mode 100644 index 0000000000..7eaff9eaaf --- /dev/null +++ b/ics-attack/relationship/relationship--52e828db-58d0-443e-8d94-54d265d9606e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--33f9ac29-f183-48d3-be63-9f4165161aa1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--52e828db-58d0-443e-8d94-54d265d9606e", + "created": "2023-09-29T17:42:01.044Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:42:01.044Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd.json b/ics-attack/relationship/relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd.json index 6cdf7458f2..7facbef9d3 100644 --- a/ics-attack/relationship/relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd.json +++ b/ics-attack/relationship/relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b134ac6b-f54f-4eee-8050-7891d3490cf9", + "id": "bundle--303bc143-9917-4db4-b130-46ee13ac81df", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2.json b/ics-attack/relationship/relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2.json index cd47400328..59a59fc1df 100644 --- a/ics-attack/relationship/relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2.json +++ b/ics-attack/relationship/relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f2f71bb4-e5c0-4c58-9192-4cdbdb8ad924", + "id": "bundle--0514cbc4-b18e-4423-a603-9162a54c33f9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--53a54e4a-2b38-4b0c-8f60-252a68767443.json b/ics-attack/relationship/relationship--53a54e4a-2b38-4b0c-8f60-252a68767443.json index cc94e95ed8..ebc04bb89a 100644 --- a/ics-attack/relationship/relationship--53a54e4a-2b38-4b0c-8f60-252a68767443.json +++ b/ics-attack/relationship/relationship--53a54e4a-2b38-4b0c-8f60-252a68767443.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fc0576a5-4391-492c-9f31-7363828a1b52", + "id": "bundle--200fdaaa-1ce9-4232-a80d-598a772d0139", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a.json b/ics-attack/relationship/relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a.json index 68dbbbe3ec..4fa5ec9e84 100644 --- a/ics-attack/relationship/relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a.json +++ b/ics-attack/relationship/relationship--53af6987-21bb-46fd-bf85-e3eeaa74de1a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1967470f-4665-4841-ba59-fb0e0532ea51", + "id": "bundle--a91e7d30-3757-4e37-8749-1dc4cfe142ec", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--53d7a78d-1431-49e8-944c-62c875e58a20.json b/ics-attack/relationship/relationship--53d7a78d-1431-49e8-944c-62c875e58a20.json new file mode 100644 index 0000000000..e192e6cade --- /dev/null +++ b/ics-attack/relationship/relationship--53d7a78d-1431-49e8-944c-62c875e58a20.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4c5de00c-f150-4352-b384-35ff70ae3f73", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--53d7a78d-1431-49e8-944c-62c875e58a20", + "created": "2023-09-29T17:08:37.793Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:08:37.793Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5424e327-396f-4b07-94a3-408ffc915686.json b/ics-attack/relationship/relationship--5424e327-396f-4b07-94a3-408ffc915686.json index 26728cba20..67d4a0dec1 100644 --- a/ics-attack/relationship/relationship--5424e327-396f-4b07-94a3-408ffc915686.json +++ b/ics-attack/relationship/relationship--5424e327-396f-4b07-94a3-408ffc915686.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f6cee241-e17c-44cb-a570-697dd1700e40", + "id": "bundle--d4ab1bde-ad0f-4cf5-8f1b-138c806ffb60", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd.json b/ics-attack/relationship/relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd.json new file mode 100644 index 0000000000..432ad09cee --- /dev/null +++ b/ics-attack/relationship/relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--dd5748a5-68c3-4278-a415-0e4ea83a6607", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5425d1cd-8840-4640-90a3-72f3bd7151bd", + "created": "2023-09-29T17:44:32.341Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:44:32.341Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--544e996c-0bdc-42b2-91af-14c27d4213b9.json b/ics-attack/relationship/relationship--544e996c-0bdc-42b2-91af-14c27d4213b9.json new file mode 100644 index 0000000000..df76561a1b --- /dev/null +++ b/ics-attack/relationship/relationship--544e996c-0bdc-42b2-91af-14c27d4213b9.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3d792f64-7fe8-46bf-802f-2160c6387ab2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--544e996c-0bdc-42b2-91af-14c27d4213b9", + "created": "2023-09-28T21:09:23.185Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:09:23.185Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56.json b/ics-attack/relationship/relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56.json new file mode 100644 index 0000000000..fe322236c7 --- /dev/null +++ b/ics-attack/relationship/relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4f10041f-121e-483f-b33b-9010bc008cff", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--54a7bc3f-c05f-4fb3-a980-ffc8750a0a56", + "created": "2023-09-28T20:10:44.014Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:10:44.014Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b.json b/ics-attack/relationship/relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b.json index bd5e0c642d..ef1351e35b 100644 --- a/ics-attack/relationship/relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b.json +++ b/ics-attack/relationship/relationship--54a977df-ca85-43b2-b2bc-96fdcd23aa9b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f52206b2-45c1-4f93-af89-148b19ad468a", + "id": "bundle--05a1e9ba-01eb-4aef-8424-f0109b6d9164", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f.json b/ics-attack/relationship/relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f.json index 9ed56dc7b0..2ffc814dee 100644 --- a/ics-attack/relationship/relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f.json +++ b/ics-attack/relationship/relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--411a0ba8-45f9-4e93-aaae-4816511c2e57", + "id": "bundle--68b14b14-016a-4ac9-bbec-8da7512aa09d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9.json b/ics-attack/relationship/relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9.json index 803b4f8a78..a3d5f5776a 100644 --- a/ics-attack/relationship/relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9.json +++ b/ics-attack/relationship/relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f1dcc858-f23d-420a-859c-afa532163b3d", + "id": "bundle--bb5c5e99-c9e6-4779-af42-3236a2410ef6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--55f3dd59-08be-4e23-a680-b6db7850b399.json b/ics-attack/relationship/relationship--55f3dd59-08be-4e23-a680-b6db7850b399.json index afa6b2bec2..3a6c6b48f8 100644 --- a/ics-attack/relationship/relationship--55f3dd59-08be-4e23-a680-b6db7850b399.json +++ b/ics-attack/relationship/relationship--55f3dd59-08be-4e23-a680-b6db7850b399.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9ea6dacd-1503-477f-866f-b55708629fb5", + "id": "bundle--01860e82-b438-4737-aa15-18f256cb8ffd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json b/ics-attack/relationship/relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json index ba736beeea..6eb49b5e29 100644 --- a/ics-attack/relationship/relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json +++ b/ics-attack/relationship/relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--998ba806-b9a1-4da4-b73a-00a7ce8dcc85", + "id": "bundle--53f5b0a0-b7ff-49a8-a2d4-e81656000651", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5677e801-bd49-404b-b54a-6b00da52530c.json b/ics-attack/relationship/relationship--5677e801-bd49-404b-b54a-6b00da52530c.json new file mode 100644 index 0000000000..2f9f7da116 --- /dev/null +++ b/ics-attack/relationship/relationship--5677e801-bd49-404b-b54a-6b00da52530c.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d5f3a93d-908e-4e86-af9e-794d66e00110", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5677e801-bd49-404b-b54a-6b00da52530c", + "created": "2023-09-29T16:39:01.824Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:39:01.824Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--567acebd-4ba2-4723-a74d-514992321ccc.json b/ics-attack/relationship/relationship--567acebd-4ba2-4723-a74d-514992321ccc.json index efee620504..607a9a9258 100644 --- a/ics-attack/relationship/relationship--567acebd-4ba2-4723-a74d-514992321ccc.json +++ b/ics-attack/relationship/relationship--567acebd-4ba2-4723-a74d-514992321ccc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fa3439f6-7483-4212-8d97-189356659e35", + "id": "bundle--63ea77da-acf4-4fca-b292-0ae5bdd7d34f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18.json b/ics-attack/relationship/relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18.json new file mode 100644 index 0000000000..2c75c42b3d --- /dev/null +++ b/ics-attack/relationship/relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--acfd0cb2-634b-4115-b202-a06fcca95bf1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--56896f6b-27fe-4396-bfea-d3c1a7580b18", + "created": "2023-09-29T18:05:18.147Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:05:18.147Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4.json b/ics-attack/relationship/relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4.json index 3bd5203318..a04490175c 100644 --- a/ics-attack/relationship/relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4.json +++ b/ics-attack/relationship/relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--95bb1913-598d-4bd5-9a80-406bd340b508", + "id": "bundle--4680732c-a132-460b-9b60-dfeb4ff7fac7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0.json b/ics-attack/relationship/relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0.json index 291fcb4fea..18ae1c4519 100644 --- a/ics-attack/relationship/relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0.json +++ b/ics-attack/relationship/relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9f33b644-7c7b-4d32-976a-78881cd3ecde", + "id": "bundle--b302145b-efa2-491a-a39a-25f16982d03d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--57510758-786a-4f0a-aab2-101eaf4e7b9f.json b/ics-attack/relationship/relationship--57510758-786a-4f0a-aab2-101eaf4e7b9f.json new file mode 100644 index 0000000000..d37e83c02e --- /dev/null +++ b/ics-attack/relationship/relationship--57510758-786a-4f0a-aab2-101eaf4e7b9f.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--b9649732-d7a9-40eb-aa32-0c40f8e4e06d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--57510758-786a-4f0a-aab2-101eaf4e7b9f", + "created": "2023-09-27T14:48:05.715Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.261Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked command messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88.json b/ics-attack/relationship/relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88.json index 872b16946f..ce4707f14a 100644 --- a/ics-attack/relationship/relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88.json +++ b/ics-attack/relationship/relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--afefe379-6159-404c-b87f-37b23fcfa689", + "id": "bundle--0e848dce-ccd1-4755-9f24-45d86730045e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c.json b/ics-attack/relationship/relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c.json index 3d9a96d31c..3805551590 100644 --- a/ics-attack/relationship/relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c.json +++ b/ics-attack/relationship/relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f01f424c-a276-41e0-874d-2691a5e23e5b", + "id": "bundle--1c909a0b-6170-4261-9a18-436b42ca00f7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--577b53a0-44ff-4cc4-b571-455d61e596c0.json b/ics-attack/relationship/relationship--577b53a0-44ff-4cc4-b571-455d61e596c0.json new file mode 100644 index 0000000000..a9aec8a2b8 --- /dev/null +++ b/ics-attack/relationship/relationship--577b53a0-44ff-4cc4-b571-455d61e596c0.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f4659f2f-5e70-4d3b-85b5-c2dc8aae0843", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--577b53a0-44ff-4cc4-b571-455d61e596c0", + "created": "2023-09-28T20:27:17.431Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:27:17.431Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616.json b/ics-attack/relationship/relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616.json index c5688d33e1..a3a04798c4 100644 --- a/ics-attack/relationship/relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616.json +++ b/ics-attack/relationship/relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--78a34f35-1179-4caa-a537-a59ab616d8af", + "id": "bundle--ca026749-5a24-42fc-8374-dccc5ce97c28", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141.json b/ics-attack/relationship/relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141.json index 9c66a25098..5303196ed4 100644 --- a/ics-attack/relationship/relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141.json +++ b/ics-attack/relationship/relationship--57e8711a-9aae-4a22-94d4-f4c8a3a8f141.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--87e00a16-4479-4a9a-8a19-79345fd57a30", + "id": "bundle--8a6cf595-0f5c-4bf5-9df8-1545f697112a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5804ae3d-0daf-47a5-b026-d42878f55803.json b/ics-attack/relationship/relationship--5804ae3d-0daf-47a5-b026-d42878f55803.json index 2af97dc2d0..0293bb7955 100644 --- a/ics-attack/relationship/relationship--5804ae3d-0daf-47a5-b026-d42878f55803.json +++ b/ics-attack/relationship/relationship--5804ae3d-0daf-47a5-b026-d42878f55803.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--927f4ce1-27d9-4a22-b748-54232fd362ae", + "id": "bundle--721bb341-1585-4d27-a87b-06cbf8b3851b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61.json b/ics-attack/relationship/relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61.json index 6edbb1d114..92872e27ec 100644 --- a/ics-attack/relationship/relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61.json +++ b/ics-attack/relationship/relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--998d99b3-f750-48fc-b46a-e2751f0cd20a", + "id": "bundle--8b6f927c-710e-4055-9bee-085bff8fe77b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2.json b/ics-attack/relationship/relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2.json index 01d685293b..5884f20eee 100644 --- a/ics-attack/relationship/relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2.json +++ b/ics-attack/relationship/relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5efba3be-2a8f-44b6-ad0f-15be4f468149", + "id": "bundle--7a2f0c28-1a13-4638-bdbc-a2fbc9090020", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json b/ics-attack/relationship/relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json index ce01f798f3..0810e1b7eb 100644 --- a/ics-attack/relationship/relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json +++ b/ics-attack/relationship/relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--626bd344-2277-4a38-9d6e-879882b59b31", + "id": "bundle--a6955683-6d1c-41d8-846b-ccaf2a79640f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba.json b/ics-attack/relationship/relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba.json new file mode 100644 index 0000000000..139c84b7cc --- /dev/null +++ b/ics-attack/relationship/relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b59e4010-f853-4d6a-86de-429b26dc6906", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--58a95ec2-0079-4d58-a7ed-02664c1095ba", + "created": "2023-09-28T19:38:03.976Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:38:03.976Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json b/ics-attack/relationship/relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json index 2099924405..ba58c3c766 100644 --- a/ics-attack/relationship/relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json +++ b/ics-attack/relationship/relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e3097679-87fd-414d-a522-3f4c0cbd4649", + "id": "bundle--2acde494-cac8-41a6-8102-45243317219d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1.json b/ics-attack/relationship/relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1.json new file mode 100644 index 0000000000..9373ba14dc --- /dev/null +++ b/ics-attack/relationship/relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--45d0898d-ad47-4c9e-9e3a-8bf98007c75a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--58f5c89c-7ed2-4e14-ac07-6e95da16e2f1", + "created": "2023-09-28T20:27:33.713Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:27:33.713Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572.json b/ics-attack/relationship/relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572.json index 0114e3e357..b058073359 100644 --- a/ics-attack/relationship/relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572.json +++ b/ics-attack/relationship/relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2610e2f2-71e7-4752-8c1c-e3f8a73263a0", + "id": "bundle--5d3cfbf4-d9f0-4ff2-b351-a489c43c6243", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json b/ics-attack/relationship/relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json index fa7de93273..5d9af24e7b 100644 --- a/ics-attack/relationship/relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json +++ b/ics-attack/relationship/relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--10455a49-2f56-460e-83a6-c491c9760d07", + "id": "bundle--c129fc5f-bbfb-4286-9d47-459b77f369b9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5914a482-dbb7-429d-96f3-77f0588ac12d.json b/ics-attack/relationship/relationship--5914a482-dbb7-429d-96f3-77f0588ac12d.json index dd330d4d0c..9dbdaafe38 100644 --- a/ics-attack/relationship/relationship--5914a482-dbb7-429d-96f3-77f0588ac12d.json +++ b/ics-attack/relationship/relationship--5914a482-dbb7-429d-96f3-77f0588ac12d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c3c888a8-24d3-41f5-8677-80c29d024d04", + "id": "bundle--16688244-6dd4-49f9-9270-68b016e80d0b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--591620d3-5549-49db-9080-43f86a68a590.json b/ics-attack/relationship/relationship--591620d3-5549-49db-9080-43f86a68a590.json index d8dd92b3df..c98f3b8a4c 100644 --- a/ics-attack/relationship/relationship--591620d3-5549-49db-9080-43f86a68a590.json +++ b/ics-attack/relationship/relationship--591620d3-5549-49db-9080-43f86a68a590.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3993bbea-d027-459a-a5e1-70d3798c1e39", + "id": "bundle--96878d44-6f49-48de-bee0-061577c00c9a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b.json b/ics-attack/relationship/relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b.json new file mode 100644 index 0000000000..a1b746077d --- /dev/null +++ b/ics-attack/relationship/relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--89e22bb9-af04-4091-8745-aba38602b948", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5968cbde-b3da-46df-a8bd-a30c2d85363b", + "created": "2023-09-28T21:28:21.910Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:28:21.910Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8.json b/ics-attack/relationship/relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8.json new file mode 100644 index 0000000000..6b948b5884 --- /dev/null +++ b/ics-attack/relationship/relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--9a4c49e1-811b-41c9-a4c3-a2abef5f68d1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--59b53303-e4df-49ec-8e5a-812f2b4265a8", + "created": "2023-09-29T17:09:25.690Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:09:25.690Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--59c65014-1fee-4c2e-9ece-9883159bbed2.json b/ics-attack/relationship/relationship--59c65014-1fee-4c2e-9ece-9883159bbed2.json index 40cda19ed2..3c2ecf08e3 100644 --- a/ics-attack/relationship/relationship--59c65014-1fee-4c2e-9ece-9883159bbed2.json +++ b/ics-attack/relationship/relationship--59c65014-1fee-4c2e-9ece-9883159bbed2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e684948c-0526-44c2-893a-140c88588d5d", + "id": "bundle--fc0d5403-422d-437b-9cc8-6a62d84d296c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc.json b/ics-attack/relationship/relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc.json index 1caf4cb340..81b28e34e5 100644 --- a/ics-attack/relationship/relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc.json +++ b/ics-attack/relationship/relationship--59cb471f-ad8b-464f-ab8f-c267f329b0dc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7377acca-599f-4fe7-b426-6cfccf56108d", + "id": "bundle--7c6aa2b1-5f2b-4066-8772-2707fb3fe7d0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e.json b/ics-attack/relationship/relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e.json index d052bcd06e..93c46f6c47 100644 --- a/ics-attack/relationship/relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e.json +++ b/ics-attack/relationship/relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b467d785-ca77-40aa-a405-1ce2aed66f5a", + "id": "bundle--84206682-ed33-47f5-93ae-5f6e6099986e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba.json b/ics-attack/relationship/relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba.json new file mode 100644 index 0000000000..913637e367 --- /dev/null +++ b/ics-attack/relationship/relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--77554a2c-0e31-455c-a16d-d457f5648624", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5a97008b-c23b-4890-ba76-c30cf2a18fba", + "created": "2023-09-28T20:07:36.295Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:07:36.295Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json b/ics-attack/relationship/relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json index 7a56851d5f..5ad415ad42 100644 --- a/ics-attack/relationship/relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json +++ b/ics-attack/relationship/relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dd464473-6476-485f-ba7f-1c24318c46fe", + "id": "bundle--148883b0-b3c9-4656-8e15-c66234ea2168", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5b14c813-09e2-4709-ab42-94830cf9538c.json b/ics-attack/relationship/relationship--5b14c813-09e2-4709-ab42-94830cf9538c.json new file mode 100644 index 0000000000..ca9e4dc834 --- /dev/null +++ b/ics-attack/relationship/relationship--5b14c813-09e2-4709-ab42-94830cf9538c.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b723def1-f4a7-45dc-97cd-1155945adb94", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5b14c813-09e2-4709-ab42-94830cf9538c", + "created": "2023-09-29T18:42:39.876Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:42:39.876Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302.json b/ics-attack/relationship/relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302.json index 21d88e0e73..b853fbb3e6 100644 --- a/ics-attack/relationship/relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302.json +++ b/ics-attack/relationship/relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4ed91ecf-ed59-476b-97d1-82de75159a60", + "id": "bundle--58dbd13e-ba80-4ab8-803d-ec1cdb493a15", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json b/ics-attack/relationship/relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json index 7cbe4ae2ae..ccaf04266d 100644 --- a/ics-attack/relationship/relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json +++ b/ics-attack/relationship/relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--27c57c78-3221-4f3c-8458-7083183f603e", + "id": "bundle--755244de-6f4b-49c4-b369-cc8de5a9bbde", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json b/ics-attack/relationship/relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json index f0f21088d9..24532b6994 100644 --- a/ics-attack/relationship/relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json +++ b/ics-attack/relationship/relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json @@ -1,31 +1,26 @@ { "type": "bundle", - "id": "bundle--1219ddca-2760-4f54-bc8b-de31c35bb16a", + "id": "bundle--c7ec9dce-dd84-466a-b4f7-7380cc5bb07b", "spec_version": "2.0", "objects": [ { + "type": "relationship", + "id": "relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "relationship", - "id": "relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.156Z", + "modified": "2023-09-25T20:39:05.432Z", + "description": "Provide the ability to verify the integrity and authenticity of changes to parameter values.\n", "relationship_type": "mitigates", - "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "external_references": [ - { - "source_name": "IEC February 2019", - "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", - "url": "https://webstore.iec.ch/publication/34421" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c.json b/ics-attack/relationship/relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c.json index b4433f7122..ac26ce1b86 100644 --- a/ics-attack/relationship/relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c.json +++ b/ics-attack/relationship/relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--096118e2-8a8d-4fa2-9b36-5559d5ba8ed4", + "id": "bundle--8089c89b-db2d-4813-a0f2-6a8b90c9ca7a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5c61c8a2-bfff-43fb-8397-bff864413d74.json b/ics-attack/relationship/relationship--5c61c8a2-bfff-43fb-8397-bff864413d74.json new file mode 100644 index 0000000000..c103b45262 --- /dev/null +++ b/ics-attack/relationship/relationship--5c61c8a2-bfff-43fb-8397-bff864413d74.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--98b279ec-f8dc-4ffc-8a31-47f7f62ee0f1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5c61c8a2-bfff-43fb-8397-bff864413d74", + "created": "2023-09-29T17:06:09.673Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:06:09.673Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5c695f49-6c76-4818-88b6-4db2bf029e43.json b/ics-attack/relationship/relationship--5c695f49-6c76-4818-88b6-4db2bf029e43.json index 2a61a4a34a..2d691c6700 100644 --- a/ics-attack/relationship/relationship--5c695f49-6c76-4818-88b6-4db2bf029e43.json +++ b/ics-attack/relationship/relationship--5c695f49-6c76-4818-88b6-4db2bf029e43.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--23fc1928-6a56-4fc5-b5cd-b008be047c8b", + "id": "bundle--cdbd190c-913e-4579-ae47-a6424171a09d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829.json b/ics-attack/relationship/relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829.json index 2ce100b4aa..5fca591bf1 100644 --- a/ics-attack/relationship/relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829.json +++ b/ics-attack/relationship/relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4d966966-cb9c-4bae-ac77-ade18049f35c", + "id": "bundle--1de33c97-7b72-4645-9b22-8a7dd208701a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json b/ics-attack/relationship/relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json index af9b4a9334..79a96bf0f3 100644 --- a/ics-attack/relationship/relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json +++ b/ics-attack/relationship/relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5f406cdb-9dc3-4f4e-9123-335d534fa3b3", + "id": "bundle--8094898f-8e1b-4700-a87f-1b19a6aa73ac", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5d33de22-35b0-47fa-bc63-f984522340b7.json b/ics-attack/relationship/relationship--5d33de22-35b0-47fa-bc63-f984522340b7.json index 196ccf6fa6..9f90eda9cd 100644 --- a/ics-attack/relationship/relationship--5d33de22-35b0-47fa-bc63-f984522340b7.json +++ b/ics-attack/relationship/relationship--5d33de22-35b0-47fa-bc63-f984522340b7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9ba9a6fe-56af-401e-9268-724bb0084a9e", + "id": "bundle--01b81feb-708c-4105-ba70-2fcb39a983af", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json b/ics-attack/relationship/relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json index 8a3941e14d..0d46248894 100644 --- a/ics-attack/relationship/relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json +++ b/ics-attack/relationship/relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0d024b0e-c469-405a-9a40-29d7ba0f5236", + "id": "bundle--4cb06e59-2a5d-4101-822a-b806b9adb09b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36.json b/ics-attack/relationship/relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36.json index 9b4989d604..91a28c8a71 100644 --- a/ics-attack/relationship/relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36.json +++ b/ics-attack/relationship/relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--029bb9ef-fea5-47d1-acc6-b34ec32f3075", + "id": "bundle--9e65b214-1484-4a9a-abbe-d398c4283afa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json b/ics-attack/relationship/relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json index 92d004c2d3..45104c03c7 100644 --- a/ics-attack/relationship/relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json +++ b/ics-attack/relationship/relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2ce72983-db03-4e14-993f-1a14ad2a5fa1", + "id": "bundle--a14918c8-02c4-4fd3-97f0-d3119787f39a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json b/ics-attack/relationship/relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json index a5c55cc5bd..d3ec9b81c0 100644 --- a/ics-attack/relationship/relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json +++ b/ics-attack/relationship/relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f3685c79-0a80-4b80-918b-312389c00d64", + "id": "bundle--5818a78d-750d-4809-b68e-edd59562f889", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5e324da5-0fee-4dac-b289-410d560e03e9.json b/ics-attack/relationship/relationship--5e324da5-0fee-4dac-b289-410d560e03e9.json new file mode 100644 index 0000000000..8d9b0afa4c --- /dev/null +++ b/ics-attack/relationship/relationship--5e324da5-0fee-4dac-b289-410d560e03e9.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--027182df-07ed-4ed3-8010-4330e226612b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5e324da5-0fee-4dac-b289-410d560e03e9", + "created": "2023-09-28T19:46:49.255Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:46:49.255Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb.json b/ics-attack/relationship/relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb.json new file mode 100644 index 0000000000..8a936ef3f1 --- /dev/null +++ b/ics-attack/relationship/relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--2fff7781-b003-4459-92b8-ccae4da0c2a9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5ee01089-2ab6-4cf5-a39d-adf72666eceb", + "created": "2023-09-28T20:16:28.582Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:16:28.582Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5f03ee5d-534c-454c-aae3-b41130b00286.json b/ics-attack/relationship/relationship--5f03ee5d-534c-454c-aae3-b41130b00286.json index 2d0a39d738..50fa7d556b 100644 --- a/ics-attack/relationship/relationship--5f03ee5d-534c-454c-aae3-b41130b00286.json +++ b/ics-attack/relationship/relationship--5f03ee5d-534c-454c-aae3-b41130b00286.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--30bf757f-ba96-4e2b-ae51-118606ca7e09", + "id": "bundle--e42f4f2f-1bd7-4f04-8043-b8479faf1a40", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0.json b/ics-attack/relationship/relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0.json new file mode 100644 index 0000000000..53832c578a --- /dev/null +++ b/ics-attack/relationship/relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--5b7f662f-ffd7-4560-8bfb-91215ffcd079", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5f5c38f6-aa3e-4447-a2d3-a76830ab36b0", + "created": "2023-09-25T20:49:49.605Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:49:49.605Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and\u00a0User Account Management.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--5ff26c96-c610-4669-b44e-d6318205be5a.json b/ics-attack/relationship/relationship--5ff26c96-c610-4669-b44e-d6318205be5a.json new file mode 100644 index 0000000000..e5b37d8e84 --- /dev/null +++ b/ics-attack/relationship/relationship--5ff26c96-c610-4669-b44e-d6318205be5a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--fe0a4d3c-caf7-4a57-ae2a-b67429aa8df8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--5ff26c96-c610-4669-b44e-d6318205be5a", + "created": "2023-09-29T16:43:28.841Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:43:28.841Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--600f0115-94e3-49bf-afa6-0180b3367b94.json b/ics-attack/relationship/relationship--600f0115-94e3-49bf-afa6-0180b3367b94.json new file mode 100644 index 0000000000..15092eda1c --- /dev/null +++ b/ics-attack/relationship/relationship--600f0115-94e3-49bf-afa6-0180b3367b94.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--18f6764a-8d80-48cf-b938-3b33e8718fc0", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--600f0115-94e3-49bf-afa6-0180b3367b94", + "created": "2023-09-28T20:06:15.180Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:06:15.180Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--604a9bf0-81a3-425b-9005-779c4f0f749d.json b/ics-attack/relationship/relationship--604a9bf0-81a3-425b-9005-779c4f0f749d.json index 63f9c14bf8..5c5bbaebd4 100644 --- a/ics-attack/relationship/relationship--604a9bf0-81a3-425b-9005-779c4f0f749d.json +++ b/ics-attack/relationship/relationship--604a9bf0-81a3-425b-9005-779c4f0f749d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dd561a42-3ff9-4012-b25e-27f1a2c4fffe", + "id": "bundle--117d36e8-f0b9-4b03-8295-c6ee3a958021", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024.json b/ics-attack/relationship/relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024.json new file mode 100644 index 0000000000..833d5f3232 --- /dev/null +++ b/ics-attack/relationship/relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--6c9915e5-3414-46cb-b2f3-40d182503bab", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--604e1830-11ac-4ccf-a1d0-b22b80c1b024", + "created": "2023-09-29T18:07:18.253Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:07:18.253Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--605f3853-b007-4134-8a2d-6a81a35e7676.json b/ics-attack/relationship/relationship--605f3853-b007-4134-8a2d-6a81a35e7676.json new file mode 100644 index 0000000000..1288aa4284 --- /dev/null +++ b/ics-attack/relationship/relationship--605f3853-b007-4134-8a2d-6a81a35e7676.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--50aa5bcd-32f7-47aa-8e72-4eabc3d06cc2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--605f3853-b007-4134-8a2d-6a81a35e7676", + "created": "2023-09-29T18:48:05.559Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:48:05.559Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6157408d-1eb3-4445-8d8a-14619458954f.json b/ics-attack/relationship/relationship--6157408d-1eb3-4445-8d8a-14619458954f.json index fad43366c8..8e7f7a45c8 100644 --- a/ics-attack/relationship/relationship--6157408d-1eb3-4445-8d8a-14619458954f.json +++ b/ics-attack/relationship/relationship--6157408d-1eb3-4445-8d8a-14619458954f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--54867fc2-ae6b-429c-8ebb-c4cc1d0b031e", + "id": "bundle--4190b4ab-e316-4522-9c59-0e7a7f003a6d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544.json b/ics-attack/relationship/relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544.json index 92eb2a5810..61f491659b 100644 --- a/ics-attack/relationship/relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544.json +++ b/ics-attack/relationship/relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--70721b87-1122-40af-8b7e-2a846ec9c0cd", + "id": "bundle--0bac1b66-7e9e-41c1-a4e0-2add950626c5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6258c355-677c-452d-b1fc-27767232437b.json b/ics-attack/relationship/relationship--6258c355-677c-452d-b1fc-27767232437b.json index 438a686b7e..bf065e15ef 100644 --- a/ics-attack/relationship/relationship--6258c355-677c-452d-b1fc-27767232437b.json +++ b/ics-attack/relationship/relationship--6258c355-677c-452d-b1fc-27767232437b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--20e34ceb-6688-4d81-b155-d4b82ad8b0a3", + "id": "bundle--729fda01-859f-47ce-9de7-ba2006f68721", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--62abe387-10a2-414b-881c-060b70db2157.json b/ics-attack/relationship/relationship--62abe387-10a2-414b-881c-060b70db2157.json new file mode 100644 index 0000000000..81723e388e --- /dev/null +++ b/ics-attack/relationship/relationship--62abe387-10a2-414b-881c-060b70db2157.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--cba96d2a-60bb-44a2-8883-ee08f2f71c6e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--62abe387-10a2-414b-881c-060b70db2157", + "created": "2023-09-28T20:08:39.992Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:08:39.992Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--62e818b8-38e6-42ff-9424-9a327332eb2a.json b/ics-attack/relationship/relationship--62e818b8-38e6-42ff-9424-9a327332eb2a.json index fbdf47ce77..4b7e3ddf19 100644 --- a/ics-attack/relationship/relationship--62e818b8-38e6-42ff-9424-9a327332eb2a.json +++ b/ics-attack/relationship/relationship--62e818b8-38e6-42ff-9424-9a327332eb2a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a1e31350-9555-4263-82b0-4e1fbfe9e181", + "id": "bundle--e700bb46-5229-417c-b17f-ff3371674959", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json b/ics-attack/relationship/relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json index 99900450bc..7f2872b425 100644 --- a/ics-attack/relationship/relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json +++ b/ics-attack/relationship/relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8237fa92-cbdb-4921-90a1-374eae303a65", + "id": "bundle--c71d3b9c-352f-4d59-b6fc-cbc90e5102e0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--63323b12-86db-4b91-a701-90daf3f98f7c.json b/ics-attack/relationship/relationship--63323b12-86db-4b91-a701-90daf3f98f7c.json index 200077d559..8eff485a65 100644 --- a/ics-attack/relationship/relationship--63323b12-86db-4b91-a701-90daf3f98f7c.json +++ b/ics-attack/relationship/relationship--63323b12-86db-4b91-a701-90daf3f98f7c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--db1c8c44-ce3c-4094-a9e8-bf775f1b4f2b", + "id": "bundle--4e035ad2-c7c4-4993-84fc-1c93b77d55ef", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--63453d2f-30f6-40ab-b32c-506d940ecd20.json b/ics-attack/relationship/relationship--63453d2f-30f6-40ab-b32c-506d940ecd20.json index 13a8eec048..ffa75f0cef 100644 --- a/ics-attack/relationship/relationship--63453d2f-30f6-40ab-b32c-506d940ecd20.json +++ b/ics-attack/relationship/relationship--63453d2f-30f6-40ab-b32c-506d940ecd20.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--97cd41f3-3817-4d01-b309-47ede9dd77ab", + "id": "bundle--c56d7fa7-153d-4aba-8b1d-08680e2da577", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2.json b/ics-attack/relationship/relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2.json index 7e9f578d09..a113fa8148 100644 --- a/ics-attack/relationship/relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2.json +++ b/ics-attack/relationship/relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--240a5b2b-2bab-4092-928c-d3061cdf9db3", + "id": "bundle--c8ab526e-e4e9-4a4c-9cf8-2cdfb4ec11dc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b.json b/ics-attack/relationship/relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b.json new file mode 100644 index 0000000000..50b55e8d6d --- /dev/null +++ b/ics-attack/relationship/relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--7e0d0347-597d-4473-b579-58d9c934e866", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--639148fb-d0a5-4a2f-b6a3-a5ceb83d620b", + "created": "2023-09-29T17:44:55.599Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:44:55.599Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a.json b/ics-attack/relationship/relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a.json index ec6a3d3d89..87ed01db4f 100644 --- a/ics-attack/relationship/relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a.json +++ b/ics-attack/relationship/relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--95c83ffb-dc7b-4057-bd90-38e9422fec76", + "id": "bundle--1fedf292-4d7d-4ea2-ad8f-257bd75b87cc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3.json b/ics-attack/relationship/relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3.json new file mode 100644 index 0000000000..a59be7c9bd --- /dev/null +++ b/ics-attack/relationship/relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--9c5bebd4-d819-4ae7-9455-9cd316594b3b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--63f863e5-7c00-4474-8e43-bbe8bfb05cc3", + "created": "2023-09-29T16:43:05.495Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:43:05.495Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--641813ea-66a9-4949-848f-db83420aac39.json b/ics-attack/relationship/relationship--641813ea-66a9-4949-848f-db83420aac39.json deleted file mode 100644 index edb4f500ab..0000000000 --- a/ics-attack/relationship/relationship--641813ea-66a9-4949-848f-db83420aac39.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--2f6f6f88-2671-4fc4-9b43-a2e4a53242a6", - "spec_version": "2.0", - "objects": [ - { - "type": "relationship", - "id": "relationship--641813ea-66a9-4949-848f-db83420aac39", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:56:04.784Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) issued unauthorized commands to substation breakers after gaining control of operator workstations and accessing a distribution management system (DMS) client application. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - } - ] -} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--642cae89-bb5c-46f3-9fea-8d747b930c35.json b/ics-attack/relationship/relationship--642cae89-bb5c-46f3-9fea-8d747b930c35.json index ce077bff12..c6790abccd 100644 --- a/ics-attack/relationship/relationship--642cae89-bb5c-46f3-9fea-8d747b930c35.json +++ b/ics-attack/relationship/relationship--642cae89-bb5c-46f3-9fea-8d747b930c35.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a14a7bc3-35a4-4574-a954-6cb29a39e544", + "id": "bundle--6a64914b-c133-4691-912e-9c294f44fcd0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--648c6649-5861-4b43-a7e5-a9665bafb576.json b/ics-attack/relationship/relationship--648c6649-5861-4b43-a7e5-a9665bafb576.json index 7ed0d1bb75..b8d4956edb 100644 --- a/ics-attack/relationship/relationship--648c6649-5861-4b43-a7e5-a9665bafb576.json +++ b/ics-attack/relationship/relationship--648c6649-5861-4b43-a7e5-a9665bafb576.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1d445723-8ba4-41b6-b5ec-35179435ddf2", + "id": "bundle--91360530-4c2b-497c-9a20-0f000688aa2f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--64db6a39-64d2-4999-97d7-91c28c32f42e.json b/ics-attack/relationship/relationship--64db6a39-64d2-4999-97d7-91c28c32f42e.json index 43b1947702..e6879c36f5 100644 --- a/ics-attack/relationship/relationship--64db6a39-64d2-4999-97d7-91c28c32f42e.json +++ b/ics-attack/relationship/relationship--64db6a39-64d2-4999-97d7-91c28c32f42e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--198e60b5-7736-492d-b89f-2333bd87f406", + "id": "bundle--7170ad51-efa6-4b77-92ac-c7d257bb359f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043.json b/ics-attack/relationship/relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043.json index 7fc9fc1696..3343a7ddc2 100644 --- a/ics-attack/relationship/relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043.json +++ b/ics-attack/relationship/relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ac0c0767-5e18-4f4d-acbb-1413721f841d", + "id": "bundle--7600b565-1244-4c1f-8823-8a9ba61b460a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--652c1e77-cfea-4452-9762-5ba16f874119.json b/ics-attack/relationship/relationship--652c1e77-cfea-4452-9762-5ba16f874119.json new file mode 100644 index 0000000000..0c64f521ca --- /dev/null +++ b/ics-attack/relationship/relationship--652c1e77-cfea-4452-9762-5ba16f874119.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--166ab77d-4d84-4d82-9bed-26e42d609aa5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--652c1e77-cfea-4452-9762-5ba16f874119", + "created": "2023-09-29T17:58:42.002Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:58:42.002Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba.json b/ics-attack/relationship/relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba.json index 35b4da84b3..27fb4c454e 100644 --- a/ics-attack/relationship/relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba.json +++ b/ics-attack/relationship/relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--19a57a85-c35a-44a8-a338-0a5075ee029c", + "id": "bundle--988ba99c-0a81-4c38-81ad-2eab805304da", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6573327e-3757-424e-8570-04ffe7d5d0e2.json b/ics-attack/relationship/relationship--6573327e-3757-424e-8570-04ffe7d5d0e2.json new file mode 100644 index 0000000000..3265b8ae73 --- /dev/null +++ b/ics-attack/relationship/relationship--6573327e-3757-424e-8570-04ffe7d5d0e2.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--61788f4b-91e6-43d8-a728-70c027cdea2e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6573327e-3757-424e-8570-04ffe7d5d0e2", + "created": "2023-09-27T14:53:25.385Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-27T15:22:13.576Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) used port 443 to communicate with their C2 servers. (Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--65a45501-10de-46a2-89bf-03bbf17aba33.json b/ics-attack/relationship/relationship--65a45501-10de-46a2-89bf-03bbf17aba33.json index 2c2663fd34..5d7489886d 100644 --- a/ics-attack/relationship/relationship--65a45501-10de-46a2-89bf-03bbf17aba33.json +++ b/ics-attack/relationship/relationship--65a45501-10de-46a2-89bf-03bbf17aba33.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--91fed9c4-27dc-4a7c-bbda-8ac63299e10a", + "id": "bundle--6f771b47-a8f1-4677-a465-d796eea68a9e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--65aa5a0d-926c-4b04-9509-f66a99639877.json b/ics-attack/relationship/relationship--65aa5a0d-926c-4b04-9509-f66a99639877.json new file mode 100644 index 0000000000..60f12fcc8e --- /dev/null +++ b/ics-attack/relationship/relationship--65aa5a0d-926c-4b04-9509-f66a99639877.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--871be08d-f6c9-429d-b293-eec9bb4605f8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--65aa5a0d-926c-4b04-9509-f66a99639877", + "created": "2023-09-29T17:41:34.892Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:41:34.892Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--65adbdda-7069-40ed-9825-b79ec87e4916.json b/ics-attack/relationship/relationship--65adbdda-7069-40ed-9825-b79ec87e4916.json index c37c57ea56..668ecdeb8f 100644 --- a/ics-attack/relationship/relationship--65adbdda-7069-40ed-9825-b79ec87e4916.json +++ b/ics-attack/relationship/relationship--65adbdda-7069-40ed-9825-b79ec87e4916.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ae09afbe-ef9e-4199-b843-c1a8b0cad52f", + "id": "bundle--39897c76-4074-479f-8982-3c1259638a2d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5.json b/ics-attack/relationship/relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5.json new file mode 100644 index 0000000000..724e7746a9 --- /dev/null +++ b/ics-attack/relationship/relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--61077d3d-f8d5-4787-91dd-5507bdbab90c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--65d42e15-749b-4f86-86c5-b9f1da1e60c5", + "created": "2023-09-28T21:25:34.304Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:25:34.304Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2.json b/ics-attack/relationship/relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2.json new file mode 100644 index 0000000000..1051deba78 --- /dev/null +++ b/ics-attack/relationship/relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--72c9c355-5a71-4d9d-940e-91986c483ac9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--65e25631-05de-4ce2-88cc-52f91cfbdaf2", + "created": "2023-10-02T20:18:54.267Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:18:54.267Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6603a100-d655-4e6b-8d38-73c11b89dde4.json b/ics-attack/relationship/relationship--6603a100-d655-4e6b-8d38-73c11b89dde4.json index 48ec96ff6b..162a29fa0e 100644 --- a/ics-attack/relationship/relationship--6603a100-d655-4e6b-8d38-73c11b89dde4.json +++ b/ics-attack/relationship/relationship--6603a100-d655-4e6b-8d38-73c11b89dde4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8cfaaca5-b85b-4290-a796-dc82531c9612", + "id": "bundle--4c834809-0c46-4e10-bba9-c52730f8c7cf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6637d8e6-6578-4d15-a993-d63ced4c4464.json b/ics-attack/relationship/relationship--6637d8e6-6578-4d15-a993-d63ced4c4464.json index cd681f48c3..31f07ca221 100644 --- a/ics-attack/relationship/relationship--6637d8e6-6578-4d15-a993-d63ced4c4464.json +++ b/ics-attack/relationship/relationship--6637d8e6-6578-4d15-a993-d63ced4c4464.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--056ec54e-8ce4-4481-a2bb-c6df246016ec", + "id": "bundle--446763df-3eb2-416c-a34f-4e695c15ad0b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--665587ee-1524-4334-9580-2b448c417542.json b/ics-attack/relationship/relationship--665587ee-1524-4334-9580-2b448c417542.json index c09d8474d4..58688480e2 100644 --- a/ics-attack/relationship/relationship--665587ee-1524-4334-9580-2b448c417542.json +++ b/ics-attack/relationship/relationship--665587ee-1524-4334-9580-2b448c417542.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eecb50f9-3d75-4765-8fce-dd498019d7c7", + "id": "bundle--d55177e5-0b17-40cd-ab72-1a178e4946a5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--66738beb-0a33-4d70-baec-8307b5b34f80.json b/ics-attack/relationship/relationship--66738beb-0a33-4d70-baec-8307b5b34f80.json new file mode 100644 index 0000000000..a735b2a472 --- /dev/null +++ b/ics-attack/relationship/relationship--66738beb-0a33-4d70-baec-8307b5b34f80.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8257f5c4-a63d-4e50-9b78-89f8c07e1338", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--66738beb-0a33-4d70-baec-8307b5b34f80", + "created": "2023-09-28T20:16:05.975Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:16:05.975Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6681bc38-0b55-4714-b690-c609956b40bf.json b/ics-attack/relationship/relationship--6681bc38-0b55-4714-b690-c609956b40bf.json index 6e73b25d2e..c396b6a590 100644 --- a/ics-attack/relationship/relationship--6681bc38-0b55-4714-b690-c609956b40bf.json +++ b/ics-attack/relationship/relationship--6681bc38-0b55-4714-b690-c609956b40bf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--49ea0738-222e-442f-9c14-2c4d1b8771da", + "id": "bundle--b31811ac-4dc5-4f0c-a70e-1466ad8c1abb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d.json b/ics-attack/relationship/relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d.json index 2f80be21bf..a02efbffd9 100644 --- a/ics-attack/relationship/relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d.json +++ b/ics-attack/relationship/relationship--668f8c4b-225a-4287-ac5b-7717a4f75b5d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0f189198-382c-4e0e-b1db-565e1b70ccc9", + "id": "bundle--2e14d071-866e-4ecb-92c9-d6c90b7b6a7d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--66af47d7-c430-4ac9-8020-fd79b7059037.json b/ics-attack/relationship/relationship--66af47d7-c430-4ac9-8020-fd79b7059037.json index 4e6497e23c..f7a9981d2c 100644 --- a/ics-attack/relationship/relationship--66af47d7-c430-4ac9-8020-fd79b7059037.json +++ b/ics-attack/relationship/relationship--66af47d7-c430-4ac9-8020-fd79b7059037.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9e39edc6-aec2-43b9-a4af-e54c657fb2bf", + "id": "bundle--ab6ad0ea-7098-442b-bfa3-a2307b91a1b0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702.json b/ics-attack/relationship/relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702.json new file mode 100644 index 0000000000..5b87eb4fff --- /dev/null +++ b/ics-attack/relationship/relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--9202c267-4bf1-4a67-85f8-db9cc63260fb", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--66d041e2-d9e8-46cc-88ee-8e5c1cec8702", + "created": "2023-09-29T17:43:31.956Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:43:31.956Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--66d637a0-4874-4b12-bd3a-b408acb06d26.json b/ics-attack/relationship/relationship--66d637a0-4874-4b12-bd3a-b408acb06d26.json index 1e88007465..962a4d32b1 100644 --- a/ics-attack/relationship/relationship--66d637a0-4874-4b12-bd3a-b408acb06d26.json +++ b/ics-attack/relationship/relationship--66d637a0-4874-4b12-bd3a-b408acb06d26.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d2f6c3c4-6819-4d27-8740-493138af56b9", + "id": "bundle--b7af15c3-5c1a-4b25-8178-d9d43f4aa140", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--66f79019-d52c-46a6-b605-c2335d1d3d20.json b/ics-attack/relationship/relationship--66f79019-d52c-46a6-b605-c2335d1d3d20.json index d28525efd0..f6f96522ba 100644 --- a/ics-attack/relationship/relationship--66f79019-d52c-46a6-b605-c2335d1d3d20.json +++ b/ics-attack/relationship/relationship--66f79019-d52c-46a6-b605-c2335d1d3d20.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--135d08ee-6538-4866-8e7c-cd964808964c", + "id": "bundle--189135b7-d20f-43cf-84e1-f0a9b8b68b01", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--671043a9-337f-411a-9ca9-3112e897ab09.json b/ics-attack/relationship/relationship--671043a9-337f-411a-9ca9-3112e897ab09.json index 43a84bb865..74dba840c1 100644 --- a/ics-attack/relationship/relationship--671043a9-337f-411a-9ca9-3112e897ab09.json +++ b/ics-attack/relationship/relationship--671043a9-337f-411a-9ca9-3112e897ab09.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cc8df898-f099-4346-81b4-b83ad741002a", + "id": "bundle--7d8f8d90-4a3f-4273-9a47-375310266baf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd.json b/ics-attack/relationship/relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd.json new file mode 100644 index 0000000000..1c3318c85a --- /dev/null +++ b/ics-attack/relationship/relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b5759d4c-d95d-4d14-a935-d519f5485012", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6754195a-99cd-4b45-bafd-4a374ae79bbd", + "created": "2023-09-29T18:02:52.119Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:02:52.119Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6795c92f-848f-488e-9c25-d240f99c9b34.json b/ics-attack/relationship/relationship--6795c92f-848f-488e-9c25-d240f99c9b34.json new file mode 100644 index 0000000000..0e4da6bd14 --- /dev/null +++ b/ics-attack/relationship/relationship--6795c92f-848f-488e-9c25-d240f99c9b34.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1900cb09-a812-42b0-80c8-e3311bb5b1f4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6795c92f-848f-488e-9c25-d240f99c9b34", + "created": "2023-09-28T21:23:39.333Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:23:39.333Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--679d216f-9bf7-428a-8d5b-72a84d6d45ab.json b/ics-attack/relationship/relationship--679d216f-9bf7-428a-8d5b-72a84d6d45ab.json index 8e3187ab21..13527827e9 100644 --- a/ics-attack/relationship/relationship--679d216f-9bf7-428a-8d5b-72a84d6d45ab.json +++ b/ics-attack/relationship/relationship--679d216f-9bf7-428a-8d5b-72a84d6d45ab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--310ba99a-e66d-4576-8aae-28fc6ff70a2e", + "id": "bundle--4b710577-d816-430f-a477-c06a83e07d0e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666.json b/ics-attack/relationship/relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666.json index 131e29a4d4..0ba7c465e7 100644 --- a/ics-attack/relationship/relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666.json +++ b/ics-attack/relationship/relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--14d4a064-01b7-41f8-bf79-d76402153891", + "id": "bundle--ba13a4a5-6fdd-44eb-9ff4-7036f52f47f8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--67ae8423-c401-4c11-93d3-0454c288d934.json b/ics-attack/relationship/relationship--67ae8423-c401-4c11-93d3-0454c288d934.json new file mode 100644 index 0000000000..ccbeced277 --- /dev/null +++ b/ics-attack/relationship/relationship--67ae8423-c401-4c11-93d3-0454c288d934.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c7f28436-ed6c-4321-98a3-3c45a16ebe4d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--67ae8423-c401-4c11-93d3-0454c288d934", + "created": "2023-09-29T16:31:57.421Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:31:57.421Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--67dae594-4239-4756-a0bc-dee75de19e4c.json b/ics-attack/relationship/relationship--67dae594-4239-4756-a0bc-dee75de19e4c.json new file mode 100644 index 0000000000..cf5e7855dc --- /dev/null +++ b/ics-attack/relationship/relationship--67dae594-4239-4756-a0bc-dee75de19e4c.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--fcd6330f-853d-45f3-b486-6f0652af5175", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--67dae594-4239-4756-a0bc-dee75de19e4c", + "created": "2023-09-29T17:07:14.259Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:07:14.259Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--67e11f38-9f68-4989-8de3-da65af52063e.json b/ics-attack/relationship/relationship--67e11f38-9f68-4989-8de3-da65af52063e.json index f13830054a..a70a38be58 100644 --- a/ics-attack/relationship/relationship--67e11f38-9f68-4989-8de3-da65af52063e.json +++ b/ics-attack/relationship/relationship--67e11f38-9f68-4989-8de3-da65af52063e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4b12a268-12d1-4a26-aba8-e5e93bb21a78", + "id": "bundle--c0b0e07a-d11d-405e-9e37-a0273b721945", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json b/ics-attack/relationship/relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json index f2a2160d8a..07a5f86008 100644 --- a/ics-attack/relationship/relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json +++ b/ics-attack/relationship/relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--88682b19-568d-408a-af2f-492106a208f3", + "id": "bundle--5b367662-5fc3-476f-b7a4-38724b68fdc6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--685249f9-e51a-4914-8b7f-09679e04198b.json b/ics-attack/relationship/relationship--685249f9-e51a-4914-8b7f-09679e04198b.json new file mode 100644 index 0000000000..8be23dc871 --- /dev/null +++ b/ics-attack/relationship/relationship--685249f9-e51a-4914-8b7f-09679e04198b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--7daefd10-57f2-4bd3-9a39-d5b30b9af895", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--685249f9-e51a-4914-8b7f-09679e04198b", + "created": "2023-09-28T19:49:11.359Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:49:11.359Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--686cbd74-ef49-4e77-9599-21777d3a4738.json b/ics-attack/relationship/relationship--686cbd74-ef49-4e77-9599-21777d3a4738.json index f54dfa2e24..19f4f99d1c 100644 --- a/ics-attack/relationship/relationship--686cbd74-ef49-4e77-9599-21777d3a4738.json +++ b/ics-attack/relationship/relationship--686cbd74-ef49-4e77-9599-21777d3a4738.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fedd48da-d077-43ad-8c1c-f06d449bdb30", + "id": "bundle--2307d37d-2c86-43d1-94d6-802edf7e6bb5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1.json b/ics-attack/relationship/relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1.json new file mode 100644 index 0000000000..76090e2cbe --- /dev/null +++ b/ics-attack/relationship/relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--62c045de-dee4-4c19-86d4-1ee1e7b0e946", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--688d2041-5c8b-47e0-86e1-a8d16134bdb1", + "created": "2023-09-28T19:39:25.832Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:39:25.832Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6895e54e-3968-41a9-9013-a082cd46fa44.json b/ics-attack/relationship/relationship--6895e54e-3968-41a9-9013-a082cd46fa44.json index 698de23678..a0edb85ec5 100644 --- a/ics-attack/relationship/relationship--6895e54e-3968-41a9-9013-a082cd46fa44.json +++ b/ics-attack/relationship/relationship--6895e54e-3968-41a9-9013-a082cd46fa44.json @@ -1,72 +1,77 @@ { "type": "bundle", - "id": "bundle--bd4aa709-0d2b-44dd-8d3c-675e758a0f8d", + "id": "bundle--842e5a05-b2b4-48fa-8c75-b9455d49d2d3", "spec_version": "2.0", "objects": [ { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", "id": "relationship--6895e54e-3968-41a9-9013-a082cd46fa44", "created": "2020-05-14T14:40:26.221Z", - "x_mitre_version": "1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", - "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020." + "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.", + "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/" }, { "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", - "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a", - "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020." + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" }, { "source_name": "CrowdStrike Ryuk January 2019", - "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", - "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020." + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" }, { "source_name": "FireEye KEGTAP SINGLEMALT October 2020", - "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020." + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" }, { "source_name": "CrowdStrike Wizard Spider October 2020", - "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", - "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021." + "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.", + "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" }, { "source_name": "Sophos New Ryuk Attack October 2020", - "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", - "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They\u2019re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020." + "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They\u2019re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.", + "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/" + }, + { + "source_name": "Mandiant FIN12 Oct 2021", + "description": "Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.", + "url": "https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" }, { "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", - "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", - "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020." + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" }, { "source_name": "DFIR Ryuk in 5 Hours October 2020", - "url": "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "description": "The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020." + "description": "The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.", + "url": "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/" }, { "source_name": "DFIR Ryuk's Return October 2020", - "url": "https://thedfirreport.com/2020/10/08/ryuks-return/", - "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020." + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" } ], - "x_mitre_deprecated": false, - "revoked": false, - "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", - "modified": "2022-05-20T17:07:10.940Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-12T14:30:20.653Z", + "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)(Citation: CrowdStrike Wizard Spider October 2020)(Citation: Mandiant FIN12 Oct 2021)", "relationship_type": "uses", "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] diff --git a/ics-attack/relationship/relationship--68d30c45-766f-48b6-9405-0c969243332b.json b/ics-attack/relationship/relationship--68d30c45-766f-48b6-9405-0c969243332b.json index 63c14d98a0..56c9349f60 100644 --- a/ics-attack/relationship/relationship--68d30c45-766f-48b6-9405-0c969243332b.json +++ b/ics-attack/relationship/relationship--68d30c45-766f-48b6-9405-0c969243332b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9acaa4fe-8089-4641-b6b2-e04455003ef4", + "id": "bundle--fc19e67c-18ab-4236-9112-ea7eab318a60", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6902da63-3b59-46f3-99e0-6008dd47ab70.json b/ics-attack/relationship/relationship--6902da63-3b59-46f3-99e0-6008dd47ab70.json index 0d60288aec..0149619559 100644 --- a/ics-attack/relationship/relationship--6902da63-3b59-46f3-99e0-6008dd47ab70.json +++ b/ics-attack/relationship/relationship--6902da63-3b59-46f3-99e0-6008dd47ab70.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--701e9d4d-09c2-4eaf-8009-2797ef951635", + "id": "bundle--085dff77-b5c4-491d-baf6-e770a37fa68b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b.json b/ics-attack/relationship/relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b.json index abcbb39112..115292b98c 100644 --- a/ics-attack/relationship/relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b.json +++ b/ics-attack/relationship/relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1eeed652-ee35-4770-8a3a-b03b9fc1d94a", + "id": "bundle--901bd5a6-fb4d-4402-bceb-855c671c3147", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--692324b4-064a-430c-8ffc-7f7acd537778.json b/ics-attack/relationship/relationship--692324b4-064a-430c-8ffc-7f7acd537778.json index b47767cbc2..96d249ee8c 100644 --- a/ics-attack/relationship/relationship--692324b4-064a-430c-8ffc-7f7acd537778.json +++ b/ics-attack/relationship/relationship--692324b4-064a-430c-8ffc-7f7acd537778.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c0e66ecd-67df-4848-9f20-6790f9777fd9", + "id": "bundle--5fbc8098-9bc4-4cd0-be5a-625b2f0921ff", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--692ff921-c74d-40a4-ab31-879aba5f247a.json b/ics-attack/relationship/relationship--692ff921-c74d-40a4-ab31-879aba5f247a.json new file mode 100644 index 0000000000..01bbe49795 --- /dev/null +++ b/ics-attack/relationship/relationship--692ff921-c74d-40a4-ab31-879aba5f247a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--0e061ec1-43b4-41f1-baca-3077f1f28596", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--692ff921-c74d-40a4-ab31-879aba5f247a", + "created": "2023-09-29T16:42:01.287Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:42:01.287Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json b/ics-attack/relationship/relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json index 14b58425db..b689cebd60 100644 --- a/ics-attack/relationship/relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json +++ b/ics-attack/relationship/relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dd06a5d6-9263-4f1f-bd57-0330bad09500", + "id": "bundle--e742d304-ca1a-462a-9d8a-a15881d0d1a9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json b/ics-attack/relationship/relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json index bbf8865149..2fc0794fd4 100644 --- a/ics-attack/relationship/relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json +++ b/ics-attack/relationship/relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json @@ -1,21 +1,14 @@ { "type": "bundle", - "id": "bundle--3e71af97-242f-4983-9bc1-84766b6db158", + "id": "bundle--04d1149a-fc7c-4df4-9c56-e296245fc212", "spec_version": "2.0", "objects": [ { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", "id": "relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-13T11:15:26.506Z", - "modified": "2022-05-06T17:47:24.154Z", - "relationship_type": "mitigates", - "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "IEC February 2019", @@ -23,9 +16,18 @@ "url": "https://webstore.iec.ch/publication/34421" } ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:36:26.282Z", + "description": "Provide the ability to verify the integrity of controller tasking. While techniques like CRCs and checksums are commonly used, they are not cryptographically secure and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--69cf4015-fae1-47f6-9253-1f99209288a5.json b/ics-attack/relationship/relationship--69cf4015-fae1-47f6-9253-1f99209288a5.json new file mode 100644 index 0000000000..1b81fcc0c7 --- /dev/null +++ b/ics-attack/relationship/relationship--69cf4015-fae1-47f6-9253-1f99209288a5.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e7177572-b8f5-4e98-9bbf-cee1bb937123", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--69cf4015-fae1-47f6-9253-1f99209288a5", + "created": "2023-09-29T16:27:34.964Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:27:34.964Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820.json b/ics-attack/relationship/relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820.json new file mode 100644 index 0000000000..1cdddeac52 --- /dev/null +++ b/ics-attack/relationship/relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--9c9e5b99-dc47-42cb-9e3a-38a72a09fbb7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--69f4ed24-c2f7-49e1-99a2-350cc2795820", + "created": "2023-09-29T17:44:19.135Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:44:19.135Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6a476f56-2c07-43be-8054-d978ee8eb924.json b/ics-attack/relationship/relationship--6a476f56-2c07-43be-8054-d978ee8eb924.json new file mode 100644 index 0000000000..4b620d72b6 --- /dev/null +++ b/ics-attack/relationship/relationship--6a476f56-2c07-43be-8054-d978ee8eb924.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--6323286d-f414-4a72-9034-52764acb4629", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6a476f56-2c07-43be-8054-d978ee8eb924", + "created": "2023-09-29T16:42:12.160Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:42:12.160Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908.json b/ics-attack/relationship/relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908.json index 54fb46165c..7064bfae69 100644 --- a/ics-attack/relationship/relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908.json +++ b/ics-attack/relationship/relationship--6a5922e1-e282-464d-9e71-ce2c2ed44908.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ad870b29-3269-450f-be11-c19afbd83977", + "id": "bundle--fe44bc38-cdbb-4f25-8ed1-4dbd4c6b2abe", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef.json b/ics-attack/relationship/relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef.json index 16dd8eb355..2523df360e 100644 --- a/ics-attack/relationship/relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef.json +++ b/ics-attack/relationship/relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e73d90c8-e4dd-4065-803c-0243148ba3fd", + "id": "bundle--cf55cfb1-59ad-4774-88af-9f283a169ed7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6acf3236-d7e6-416c-90e5-5cf6bd89e01d.json b/ics-attack/relationship/relationship--6acf3236-d7e6-416c-90e5-5cf6bd89e01d.json index 3712e82c3f..5021efaa66 100644 --- a/ics-attack/relationship/relationship--6acf3236-d7e6-416c-90e5-5cf6bd89e01d.json +++ b/ics-attack/relationship/relationship--6acf3236-d7e6-416c-90e5-5cf6bd89e01d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e0734414-f1c6-4e95-8191-5a7fdc8073e2", + "id": "bundle--95035c85-c383-4dca-9ec2-5dc53447868f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6ad39b3a-a962-457f-852c-be7fc615e22f.json b/ics-attack/relationship/relationship--6ad39b3a-a962-457f-852c-be7fc615e22f.json index ce9bf1c782..e2706f620a 100644 --- a/ics-attack/relationship/relationship--6ad39b3a-a962-457f-852c-be7fc615e22f.json +++ b/ics-attack/relationship/relationship--6ad39b3a-a962-457f-852c-be7fc615e22f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--112e8be2-74f8-4a9e-9fa3-e4f94b8c72fc", + "id": "bundle--a5c6cb08-da2f-4226-9500-b13e3624591e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72.json b/ics-attack/relationship/relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72.json new file mode 100644 index 0000000000..25ba02f094 --- /dev/null +++ b/ics-attack/relationship/relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--6dd8f9b4-e7e3-4348-800e-6f48c66b0c58", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6ad3b5cc-7ba1-4287-8c05-d02385f84f72", + "created": "2023-09-29T16:31:22.789Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:31:22.789Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6b54f354-9059-4366-8077-87360c4db2ab.json b/ics-attack/relationship/relationship--6b54f354-9059-4366-8077-87360c4db2ab.json new file mode 100644 index 0000000000..f5c372dfbd --- /dev/null +++ b/ics-attack/relationship/relationship--6b54f354-9059-4366-8077-87360c4db2ab.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4bceec2b-b82d-469f-8119-3a95a0169fe2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6b54f354-9059-4366-8077-87360c4db2ab", + "created": "2023-10-02T20:18:20.019Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:18:20.019Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07.json b/ics-attack/relationship/relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07.json index 250ee5455d..d884331ed2 100644 --- a/ics-attack/relationship/relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07.json +++ b/ics-attack/relationship/relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--55567907-8269-4f84-8768-17fb11eaab5c", + "id": "bundle--35cc291c-e0c8-48ab-8142-21cca33886ce", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json b/ics-attack/relationship/relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json index d9a2054a59..df954443be 100644 --- a/ics-attack/relationship/relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json +++ b/ics-attack/relationship/relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4a4a39c2-306a-4e10-a97c-c4a8b3d325d2", + "id": "bundle--b31e24d0-f2b9-4b9a-92b3-ef37083a3355", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8.json b/ics-attack/relationship/relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8.json index 8ce14d61cf..0566b312a5 100644 --- a/ics-attack/relationship/relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8.json +++ b/ics-attack/relationship/relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--469bd475-91be-4c44-94bf-22b4b859d42a", + "id": "bundle--5869f188-053f-4862-92aa-6fa4b25557de", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6baa9172-04e4-416d-a009-668cda23fd5d.json b/ics-attack/relationship/relationship--6baa9172-04e4-416d-a009-668cda23fd5d.json index c40ce62d2a..96bb8e3bcd 100644 --- a/ics-attack/relationship/relationship--6baa9172-04e4-416d-a009-668cda23fd5d.json +++ b/ics-attack/relationship/relationship--6baa9172-04e4-416d-a009-668cda23fd5d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6d46661c-3232-42f8-89d3-dcb89ccf0a17", + "id": "bundle--9986c6ea-c53b-4145-84cb-3b144d671f0c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863.json b/ics-attack/relationship/relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863.json index f4638030cc..e14789173b 100644 --- a/ics-attack/relationship/relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863.json +++ b/ics-attack/relationship/relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--90ef720c-14cf-4910-90a1-2c1f4f593137", + "id": "bundle--15f6318b-5355-4c1e-8ebc-f3e5eda3ecd2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee.json b/ics-attack/relationship/relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee.json index 9fa44ac085..228304d167 100644 --- a/ics-attack/relationship/relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee.json +++ b/ics-attack/relationship/relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2eee1b3c-88dd-4f44-93f5-b08a0e3e189e", + "id": "bundle--eb23cdf9-70b9-41da-9a39-f469674ed5a9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605.json b/ics-attack/relationship/relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605.json index 54b086de3b..61019eb8fe 100644 --- a/ics-attack/relationship/relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605.json +++ b/ics-attack/relationship/relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--998b53f6-490e-4470-957f-5ec24bd54ffa", + "id": "bundle--c90cffee-b89d-40a1-965a-336d069e59c6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6bf14e79-3287-4b9e-b222-9d527530df1e.json b/ics-attack/relationship/relationship--6bf14e79-3287-4b9e-b222-9d527530df1e.json index f0461d7fb3..fc50b17527 100644 --- a/ics-attack/relationship/relationship--6bf14e79-3287-4b9e-b222-9d527530df1e.json +++ b/ics-attack/relationship/relationship--6bf14e79-3287-4b9e-b222-9d527530df1e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--706cafae-f4f9-416d-a681-a734579dacdc", + "id": "bundle--9b90a2cd-2c90-4a22-84eb-ff8bef2dba49", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6c15ec9f-2b48-419c-adc1-f989833f6187.json b/ics-attack/relationship/relationship--6c15ec9f-2b48-419c-adc1-f989833f6187.json index edf53a5510..f08a64d51c 100644 --- a/ics-attack/relationship/relationship--6c15ec9f-2b48-419c-adc1-f989833f6187.json +++ b/ics-attack/relationship/relationship--6c15ec9f-2b48-419c-adc1-f989833f6187.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ebf376a0-1666-402c-a109-ca8e560655b1", + "id": "bundle--6c1f9d53-012b-4351-bf8b-b49ba7d9e392", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6c31c795-935a-41ad-8db1-d74430f4a553.json b/ics-attack/relationship/relationship--6c31c795-935a-41ad-8db1-d74430f4a553.json new file mode 100644 index 0000000000..e625ec6580 --- /dev/null +++ b/ics-attack/relationship/relationship--6c31c795-935a-41ad-8db1-d74430f4a553.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d50e3c7d-4434-47cc-bde7-3d85e7781c72", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6c31c795-935a-41ad-8db1-d74430f4a553", + "created": "2023-09-29T18:56:59.151Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:56:59.151Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4.json b/ics-attack/relationship/relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4.json new file mode 100644 index 0000000000..cdce68b440 --- /dev/null +++ b/ics-attack/relationship/relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a1c149e7-1a0a-480c-abcc-3765ba8278a9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6c470aa0-b119-4078-80fc-2b66a4d6eac4", + "created": "2023-09-28T20:09:36.756Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:09:36.756Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e.json b/ics-attack/relationship/relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e.json new file mode 100644 index 0000000000..5a7921d254 --- /dev/null +++ b/ics-attack/relationship/relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d8a8cbc0-f461-4e2b-adbb-1bb1744b9036", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6c9c1c11-c996-4d2b-bbed-d73ae30efd2e", + "created": "2023-09-28T20:08:52.975Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:08:52.975Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6.json b/ics-attack/relationship/relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6.json index 8c038fb070..00a0052501 100644 --- a/ics-attack/relationship/relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6.json +++ b/ics-attack/relationship/relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8476cf95-5678-4f89-8ed4-cc3c04c89ae5", + "id": "bundle--e56a4ea7-a4e8-4ed1-9a9f-b4adc513adf3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6d822f86-5793-403a-b176-5d533f6b81b3.json b/ics-attack/relationship/relationship--6d822f86-5793-403a-b176-5d533f6b81b3.json index 0219ebdd8d..991916a242 100644 --- a/ics-attack/relationship/relationship--6d822f86-5793-403a-b176-5d533f6b81b3.json +++ b/ics-attack/relationship/relationship--6d822f86-5793-403a-b176-5d533f6b81b3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--41d32be8-850d-4a4d-9c90-c0df418d8344", + "id": "bundle--3c68925b-697f-4574-a53a-0b6d34e63004", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5.json b/ics-attack/relationship/relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5.json index 54c9c5b49d..6a3ea96bb8 100644 --- a/ics-attack/relationship/relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5.json +++ b/ics-attack/relationship/relationship--6e329090-fc8c-4a7f-bbf9-08067ad9ebe5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--52eeebda-ce56-4dc2-a436-c453003fee23", + "id": "bundle--16a46cc5-7171-4127-bd0e-938ab1532b68", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64.json b/ics-attack/relationship/relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64.json index e7d8113499..cf0aad9e11 100644 --- a/ics-attack/relationship/relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64.json +++ b/ics-attack/relationship/relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--837d9f15-4cbf-4569-bb5f-d4be17ce188f", + "id": "bundle--acbe601b-2207-4828-b2a4-45554633dd5c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6eaf727c-fec3-4e63-8852-eee27c44d596.json b/ics-attack/relationship/relationship--6eaf727c-fec3-4e63-8852-eee27c44d596.json index 71d3b5241e..e8530a4d16 100644 --- a/ics-attack/relationship/relationship--6eaf727c-fec3-4e63-8852-eee27c44d596.json +++ b/ics-attack/relationship/relationship--6eaf727c-fec3-4e63-8852-eee27c44d596.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6f07c121-acc1-454f-8fc7-fdb33f2e8037", + "id": "bundle--a963a289-28a2-4431-84a5-b3e7c2d940a7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6ed07095-c23a-4676-807f-a544deaeb274.json b/ics-attack/relationship/relationship--6ed07095-c23a-4676-807f-a544deaeb274.json index 593fb764ce..367b6a392b 100644 --- a/ics-attack/relationship/relationship--6ed07095-c23a-4676-807f-a544deaeb274.json +++ b/ics-attack/relationship/relationship--6ed07095-c23a-4676-807f-a544deaeb274.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b8098396-9f11-45d8-92d7-3b5390610f38", + "id": "bundle--e90a1204-132a-4e9a-8c7d-609cd450fc57", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json b/ics-attack/relationship/relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json index 312a05bd94..010510ba76 100644 --- a/ics-attack/relationship/relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json +++ b/ics-attack/relationship/relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f37ba0c1-1927-4c56-8308-9a94d8776634", + "id": "bundle--a665dece-2534-42bd-b1d2-dd38ca1c8909", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf.json b/ics-attack/relationship/relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf.json new file mode 100644 index 0000000000..48f8843245 --- /dev/null +++ b/ics-attack/relationship/relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8771c611-fbbf-45a8-9a52-18df2a48d8a2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6f1479d9-dfd4-4baa-abd5-9847781ef9bf", + "created": "2023-09-29T17:41:50.116Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:41:50.116Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f.json b/ics-attack/relationship/relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f.json index 5cb7b9be77..a1e0feec25 100644 --- a/ics-attack/relationship/relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f.json +++ b/ics-attack/relationship/relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--671ba30e-e4b6-4550-9b6c-77c1002aa885", + "id": "bundle--0a308882-fec5-4295-a5e2-963da8b86b7f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6f2ddada-d7df-4788-b5d1-9add185142e0.json b/ics-attack/relationship/relationship--6f2ddada-d7df-4788-b5d1-9add185142e0.json new file mode 100644 index 0000000000..10bec773fb --- /dev/null +++ b/ics-attack/relationship/relationship--6f2ddada-d7df-4788-b5d1-9add185142e0.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ed9b2647-e7f1-4d08-bbd8-e47d8dbe183e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6f2ddada-d7df-4788-b5d1-9add185142e0", + "created": "2023-09-28T20:02:57.330Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:02:57.330Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e.json b/ics-attack/relationship/relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e.json new file mode 100644 index 0000000000..a55bfec256 --- /dev/null +++ b/ics-attack/relationship/relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1e30c69c-f533-49fc-9254-46edcc54cc31", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6f72c60e-2739-40b6-b6a9-66d2a3d1833e", + "created": "2023-09-28T21:27:14.172Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:27:14.172Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6f950c91-125b-46a0-aa40-239b4de2306a.json b/ics-attack/relationship/relationship--6f950c91-125b-46a0-aa40-239b4de2306a.json new file mode 100644 index 0000000000..b20e802f9d --- /dev/null +++ b/ics-attack/relationship/relationship--6f950c91-125b-46a0-aa40-239b4de2306a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ff53c4bb-8b9f-4bef-ac71-461493500a51", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--6f950c91-125b-46a0-aa40-239b4de2306a", + "created": "2023-09-28T21:14:03.305Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:14:03.305Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json b/ics-attack/relationship/relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json index 71cb128f30..dad9d58786 100644 --- a/ics-attack/relationship/relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json +++ b/ics-attack/relationship/relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c66213ee-db02-48c7-82ee-e8d05fbea45b", + "id": "bundle--799a286d-1c15-4d39-b971-b6abcec664f7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7.json b/ics-attack/relationship/relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7.json index 855a90a478..355f13bb72 100644 --- a/ics-attack/relationship/relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7.json +++ b/ics-attack/relationship/relationship--6ff846b1-9444-45f1-837a-4eeeb16bdfe7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e43878c8-bb87-4557-936e-cea86825419b", + "id": "bundle--f0f3326d-4387-43e5-9b9d-baf56e97afe6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--70113c21-85f2-4232-8755-233f93864277.json b/ics-attack/relationship/relationship--70113c21-85f2-4232-8755-233f93864277.json index 1155f66db4..01901155db 100644 --- a/ics-attack/relationship/relationship--70113c21-85f2-4232-8755-233f93864277.json +++ b/ics-attack/relationship/relationship--70113c21-85f2-4232-8755-233f93864277.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d7b2b4f6-9174-4688-8a62-d20850e94363", + "id": "bundle--825e44dc-7bff-4e4d-9f2d-9b5c99db4c6b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7041d8e5-3b74-402a-86b3-fd59def80632.json b/ics-attack/relationship/relationship--7041d8e5-3b74-402a-86b3-fd59def80632.json index 184503bc09..57e0cd5089 100644 --- a/ics-attack/relationship/relationship--7041d8e5-3b74-402a-86b3-fd59def80632.json +++ b/ics-attack/relationship/relationship--7041d8e5-3b74-402a-86b3-fd59def80632.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7fd40f88-fa15-40fb-a150-ac73ad03f0cd", + "id": "bundle--1e1215fc-f9a8-4f68-947e-8487765f8339", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json b/ics-attack/relationship/relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json index 2241b1cfeb..c0656364a4 100644 --- a/ics-attack/relationship/relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json +++ b/ics-attack/relationship/relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--683dbc01-bffe-4b87-8c1c-cf6edcef227c", + "id": "bundle--8b22965f-c668-439b-b531-2a56e92550c5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--70a9010c-6943-4274-b854-50901c3e5a0e.json b/ics-attack/relationship/relationship--70a9010c-6943-4274-b854-50901c3e5a0e.json index d3b57dd774..1bf28bf933 100644 --- a/ics-attack/relationship/relationship--70a9010c-6943-4274-b854-50901c3e5a0e.json +++ b/ics-attack/relationship/relationship--70a9010c-6943-4274-b854-50901c3e5a0e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d7ddb2af-2d3b-4965-824a-565e104845b8", + "id": "bundle--7c0865b7-5f1e-45a4-9a96-297cf8a52d8c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0.json b/ics-attack/relationship/relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0.json index 5d1fa25c70..61d8e489e8 100644 --- a/ics-attack/relationship/relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0.json +++ b/ics-attack/relationship/relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d89dc969-4efb-4485-8d32-f31a64849e5d", + "id": "bundle--a85656b8-fb2e-4645-ae5f-6518e2b6e7a0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--71422483-33e4-4131-a4ec-40322d91d8a0.json b/ics-attack/relationship/relationship--71422483-33e4-4131-a4ec-40322d91d8a0.json index cab147ddf9..b8fd977c47 100644 --- a/ics-attack/relationship/relationship--71422483-33e4-4131-a4ec-40322d91d8a0.json +++ b/ics-attack/relationship/relationship--71422483-33e4-4131-a4ec-40322d91d8a0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--282e584e-0c29-4516-8d7c-d5a20037f8b0", + "id": "bundle--3003b624-86e9-4784-bf9f-d3fbd159cf0f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977.json b/ics-attack/relationship/relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977.json new file mode 100644 index 0000000000..2a0706f26a --- /dev/null +++ b/ics-attack/relationship/relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8bdf99fe-4f11-49fe-8f21-8cd205061775", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--71a2c3f5-7383-4bd8-a830-dc2aae62a977", + "created": "2023-09-28T19:55:37.459Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:55:37.459Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--71c81024-ea36-4853-940a-cd9d4cbcabed.json b/ics-attack/relationship/relationship--71c81024-ea36-4853-940a-cd9d4cbcabed.json index 557fcf369a..7414f115e6 100644 --- a/ics-attack/relationship/relationship--71c81024-ea36-4853-940a-cd9d4cbcabed.json +++ b/ics-attack/relationship/relationship--71c81024-ea36-4853-940a-cd9d4cbcabed.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c4195d99-d770-48a3-b734-74878cae725c", + "id": "bundle--a7b37bad-818f-4073-a925-4e3ba7d776e3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json b/ics-attack/relationship/relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json index e1d6833f03..4cbb6c0082 100644 --- a/ics-attack/relationship/relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json +++ b/ics-attack/relationship/relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7bd748c7-1496-41e3-b9bc-458985c8e50c", + "id": "bundle--3f49b567-ab71-4077-8161-dfcf7f6a0a63", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13.json b/ics-attack/relationship/relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13.json index fa60e02b9e..fc20158d11 100644 --- a/ics-attack/relationship/relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13.json +++ b/ics-attack/relationship/relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--91c53704-49f8-43f4-8acc-06e78b4cf1af", + "id": "bundle--ad6eda65-3f47-43e4-8940-d0c3ba9a8894", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7258c355-677c-452d-b1fc-27767232437b.json b/ics-attack/relationship/relationship--7258c355-677c-452d-b1fc-27767232437b.json index 80ee19f4f7..81157dd844 100644 --- a/ics-attack/relationship/relationship--7258c355-677c-452d-b1fc-27767232437b.json +++ b/ics-attack/relationship/relationship--7258c355-677c-452d-b1fc-27767232437b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8026d51c-c00f-4d0f-983d-683c7a352763", + "id": "bundle--f4a3ef9f-347e-43ff-afe6-e5362b7eaef9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--72bfda0b-31e9-4958-8d40-6efe816d9989.json b/ics-attack/relationship/relationship--72bfda0b-31e9-4958-8d40-6efe816d9989.json index fec6e51d96..3e095f59c9 100644 --- a/ics-attack/relationship/relationship--72bfda0b-31e9-4958-8d40-6efe816d9989.json +++ b/ics-attack/relationship/relationship--72bfda0b-31e9-4958-8d40-6efe816d9989.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c070c3c5-11d9-4f71-af52-37949e6c0ba4", + "id": "bundle--42b4ef69-b1bb-4715-b2b7-adc647de3cbf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--730580d4-d68c-407f-9d09-f379e9aefc7e.json b/ics-attack/relationship/relationship--730580d4-d68c-407f-9d09-f379e9aefc7e.json index 7e9b3069e4..a88305a5df 100644 --- a/ics-attack/relationship/relationship--730580d4-d68c-407f-9d09-f379e9aefc7e.json +++ b/ics-attack/relationship/relationship--730580d4-d68c-407f-9d09-f379e9aefc7e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4c87b2ba-cfb6-4fbb-b2e7-fd7d6024be9d", + "id": "bundle--fff1d780-cf6e-40fb-a0ac-e0436739c62a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--73093c08-ea39-4956-8bff-55e15f6630cd.json b/ics-attack/relationship/relationship--73093c08-ea39-4956-8bff-55e15f6630cd.json new file mode 100644 index 0000000000..129504fb7d --- /dev/null +++ b/ics-attack/relationship/relationship--73093c08-ea39-4956-8bff-55e15f6630cd.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--6f21bca0-4a95-4b24-9c71-88eb1ed28567", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--73093c08-ea39-4956-8bff-55e15f6630cd", + "created": "2023-09-28T20:07:59.785Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:07:59.785Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666.json b/ics-attack/relationship/relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666.json index 9fec5300a8..99874a1df7 100644 --- a/ics-attack/relationship/relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666.json +++ b/ics-attack/relationship/relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2c3113e3-9bbe-4c4c-a5b4-9a9104f16e6c", + "id": "bundle--df437059-4bdd-41ed-bfab-7aa66571966e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--73a48431-3597-4a72-acb8-c1e5019073e2.json b/ics-attack/relationship/relationship--73a48431-3597-4a72-acb8-c1e5019073e2.json index 9b1fb3b6a9..a6b153bfc2 100644 --- a/ics-attack/relationship/relationship--73a48431-3597-4a72-acb8-c1e5019073e2.json +++ b/ics-attack/relationship/relationship--73a48431-3597-4a72-acb8-c1e5019073e2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f225f0ea-0920-4c44-8739-242ac8a44169", + "id": "bundle--468aebe3-1e74-4711-a01d-57a5ce59241f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--740082b7-2411-473a-a59d-4d46cf12f8b5.json b/ics-attack/relationship/relationship--740082b7-2411-473a-a59d-4d46cf12f8b5.json new file mode 100644 index 0000000000..1c2aeb1cb7 --- /dev/null +++ b/ics-attack/relationship/relationship--740082b7-2411-473a-a59d-4d46cf12f8b5.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--889ebd9a-d562-47a8-9578-bef7a1ebcf34", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--740082b7-2411-473a-a59d-4d46cf12f8b5", + "created": "2023-09-29T18:45:01.516Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:45:01.516Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7411b05d-209a-4907-83ce-00ab1538fbac.json b/ics-attack/relationship/relationship--7411b05d-209a-4907-83ce-00ab1538fbac.json index eb5e25710d..08fd60d9d1 100644 --- a/ics-attack/relationship/relationship--7411b05d-209a-4907-83ce-00ab1538fbac.json +++ b/ics-attack/relationship/relationship--7411b05d-209a-4907-83ce-00ab1538fbac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8a9dff1d-8c7b-48c5-aaed-89ed40dbfbfb", + "id": "bundle--4a3a0caa-b4de-40b2-a424-b5fa66111aae", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7.json b/ics-attack/relationship/relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7.json new file mode 100644 index 0000000000..7fd1fda997 --- /dev/null +++ b/ics-attack/relationship/relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d7b03734-cc3c-45d4-bcf7-d6aee6d4e7ea", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--745b5268-f2b3-499c-a6a4-63d7e8667ff7", + "created": "2023-09-29T17:57:23.090Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:57:23.090Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f.json b/ics-attack/relationship/relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f.json index 66cd0e41c6..8193545206 100644 --- a/ics-attack/relationship/relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f.json +++ b/ics-attack/relationship/relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e2ba854a-a92e-4ac7-b2a1-915366808f93", + "id": "bundle--fb5a1c35-aad7-43e4-9e61-e96a0713f68e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--74ec9ce5-3155-488c-ae56-570c47a1d207.json b/ics-attack/relationship/relationship--74ec9ce5-3155-488c-ae56-570c47a1d207.json index e28e7bdb88..02e6338fdb 100644 --- a/ics-attack/relationship/relationship--74ec9ce5-3155-488c-ae56-570c47a1d207.json +++ b/ics-attack/relationship/relationship--74ec9ce5-3155-488c-ae56-570c47a1d207.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--53e4fcfd-bf97-4f10-b7e0-4dc3170a327b", + "id": "bundle--78c7606b-e96b-4482-bac2-2599e5444a08", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766.json b/ics-attack/relationship/relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766.json index a5db145929..28961e5638 100644 --- a/ics-attack/relationship/relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766.json +++ b/ics-attack/relationship/relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--75a97ff7-358b-4694-beea-811d44430d12", + "id": "bundle--3a343724-cb17-4403-881e-d1fa98109e30", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--754521fc-4306-4daa-831b-6b6fb45847e2.json b/ics-attack/relationship/relationship--754521fc-4306-4daa-831b-6b6fb45847e2.json index b28d5daf5e..b356b13843 100644 --- a/ics-attack/relationship/relationship--754521fc-4306-4daa-831b-6b6fb45847e2.json +++ b/ics-attack/relationship/relationship--754521fc-4306-4daa-831b-6b6fb45847e2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--32cc0d98-5823-46c5-b0a9-8542c32a132b", + "id": "bundle--730adfdd-7fe2-4bb9-83f4-b35f70d87b1b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7584e57f-1258-4c47-b18d-99019a586e6c.json b/ics-attack/relationship/relationship--7584e57f-1258-4c47-b18d-99019a586e6c.json new file mode 100644 index 0000000000..e4e444a98b --- /dev/null +++ b/ics-attack/relationship/relationship--7584e57f-1258-4c47-b18d-99019a586e6c.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a5adca33-4dc5-42b8-b783-172ca1e9f5ca", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7584e57f-1258-4c47-b18d-99019a586e6c", + "created": "2023-09-28T21:16:35.382Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:16:35.382Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--758773e3-d23d-44db-b5d3-643cde5b41f1.json b/ics-attack/relationship/relationship--758773e3-d23d-44db-b5d3-643cde5b41f1.json new file mode 100644 index 0000000000..3e87fe3f52 --- /dev/null +++ b/ics-attack/relationship/relationship--758773e3-d23d-44db-b5d3-643cde5b41f1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--78836574-e348-4fdf-afc0-c46f60ee71c5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--758773e3-d23d-44db-b5d3-643cde5b41f1", + "created": "2023-09-28T19:45:07.511Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:45:07.511Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--758d5818-f919-4a6b-9dc2-a212595a11bd.json b/ics-attack/relationship/relationship--758d5818-f919-4a6b-9dc2-a212595a11bd.json index b011c1e448..ea1440dbfa 100644 --- a/ics-attack/relationship/relationship--758d5818-f919-4a6b-9dc2-a212595a11bd.json +++ b/ics-attack/relationship/relationship--758d5818-f919-4a6b-9dc2-a212595a11bd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--130e77fa-e2d1-454e-a0c1-49004af40bc7", + "id": "bundle--18602469-b057-4310-8373-5e09585a7da0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--75a60046-c4d7-498a-b256-9a93b5992dcc.json b/ics-attack/relationship/relationship--75a60046-c4d7-498a-b256-9a93b5992dcc.json index f9e0d36ce7..a163ea7acd 100644 --- a/ics-attack/relationship/relationship--75a60046-c4d7-498a-b256-9a93b5992dcc.json +++ b/ics-attack/relationship/relationship--75a60046-c4d7-498a-b256-9a93b5992dcc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3d7d63ce-b387-4568-801b-e1d06f39ab4b", + "id": "bundle--9a3dfef6-8c33-4e3e-9d57-17fb75924de6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48.json b/ics-attack/relationship/relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48.json new file mode 100644 index 0000000000..7b90e13d0e --- /dev/null +++ b/ics-attack/relationship/relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1e73c741-da87-4066-a263-5703cef28d99", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--75c27f4e-d1e3-490a-9793-a6fc8e326a48", + "created": "2023-09-29T17:06:33.098Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:06:33.098Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--75e6adae-06a7-47e9-878e-74ca73004c3b.json b/ics-attack/relationship/relationship--75e6adae-06a7-47e9-878e-74ca73004c3b.json new file mode 100644 index 0000000000..51d09a33b1 --- /dev/null +++ b/ics-attack/relationship/relationship--75e6adae-06a7-47e9-878e-74ca73004c3b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4d0789b3-c764-4719-89c4-cf9308d8283a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--75e6adae-06a7-47e9-878e-74ca73004c3b", + "created": "2023-09-28T20:30:01.641Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:30:01.641Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--76537fd7-5782-4a8d-9b54-117b168a4306.json b/ics-attack/relationship/relationship--76537fd7-5782-4a8d-9b54-117b168a4306.json new file mode 100644 index 0000000000..ff732e38df --- /dev/null +++ b/ics-attack/relationship/relationship--76537fd7-5782-4a8d-9b54-117b168a4306.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3e667b0d-c064-4ab2-a7bd-5f62a5bd0428", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--76537fd7-5782-4a8d-9b54-117b168a4306", + "created": "2023-09-29T16:38:51.155Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:38:51.155Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--76654cf3-5cfe-4bf4-b134-806fd75b1ddb.json b/ics-attack/relationship/relationship--76654cf3-5cfe-4bf4-b134-806fd75b1ddb.json deleted file mode 100644 index 5186113739..0000000000 --- a/ics-attack/relationship/relationship--76654cf3-5cfe-4bf4-b134-806fd75b1ddb.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--175dff98-5ec7-47b6-99f9-b216debab1f2", - "spec_version": "2.0", - "objects": [ - { - "type": "relationship", - "id": "relationship--76654cf3-5cfe-4bf4-b134-806fd75b1ddb", - "created": "2022-09-20T20:55:00.134Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Pinellas County Sheriffs Office February 2021", - "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", - "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-18T13:25:44.859Z", - "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors utilized the operator HMI interface through the graphical user interface. This action led to immediate operator detection as they were able to see the adversary making changes on their screen.(Citation: Pinellas County Sheriffs Office February 2021)", - "relationship_type": "uses", - "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", - "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - } - ] -} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e.json b/ics-attack/relationship/relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e.json index 0ce5478252..0b282c3329 100644 --- a/ics-attack/relationship/relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e.json +++ b/ics-attack/relationship/relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f8a48339-8960-4aa5-8b1a-65eabb857e2a", + "id": "bundle--7390f9b3-2dda-4a7f-a735-c33433de43df", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--77566f94-5e26-41c9-892f-2f62b395afe7.json b/ics-attack/relationship/relationship--77566f94-5e26-41c9-892f-2f62b395afe7.json new file mode 100644 index 0000000000..b20bd8d8c1 --- /dev/null +++ b/ics-attack/relationship/relationship--77566f94-5e26-41c9-892f-2f62b395afe7.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--9bc6d4cc-8ca1-4d12-9c0f-e5695ef7ed93", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--77566f94-5e26-41c9-892f-2f62b395afe7", + "created": "2023-09-28T20:01:43.057Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:01:43.057Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--77821dbb-367e-455f-bcae-b87412e88f1b.json b/ics-attack/relationship/relationship--77821dbb-367e-455f-bcae-b87412e88f1b.json index e911530d2f..97a6e38b7d 100644 --- a/ics-attack/relationship/relationship--77821dbb-367e-455f-bcae-b87412e88f1b.json +++ b/ics-attack/relationship/relationship--77821dbb-367e-455f-bcae-b87412e88f1b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c43f112b-3384-4ada-9667-bbfbb83f8b24", + "id": "bundle--bbac1a24-354e-406a-ade8-93cce285ba77", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--77f3a64d-227d-487f-8484-89007e05b59f.json b/ics-attack/relationship/relationship--77f3a64d-227d-487f-8484-89007e05b59f.json new file mode 100644 index 0000000000..bfa4969de2 --- /dev/null +++ b/ics-attack/relationship/relationship--77f3a64d-227d-487f-8484-89007e05b59f.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--98275982-6cbb-4354-85ee-87a269856615", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--77f3a64d-227d-487f-8484-89007e05b59f", + "created": "2023-09-28T21:16:14.153Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:16:14.153Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--78881a3d-59ad-4fbb-8bd2-69388a068584.json b/ics-attack/relationship/relationship--78881a3d-59ad-4fbb-8bd2-69388a068584.json new file mode 100644 index 0000000000..7ec7dbafc0 --- /dev/null +++ b/ics-attack/relationship/relationship--78881a3d-59ad-4fbb-8bd2-69388a068584.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--13cdaceb-b49f-4cd0-a1a6-9514b4c35f5e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--78881a3d-59ad-4fbb-8bd2-69388a068584", + "created": "2023-09-29T18:01:45.518Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:01:45.518Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631.json b/ics-attack/relationship/relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631.json new file mode 100644 index 0000000000..7b865d30ec --- /dev/null +++ b/ics-attack/relationship/relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f13756c1-b601-4359-a21a-596b09991673", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--788a2994-f3fd-4ac4-9ef3-06a72a4e1631", + "created": "2023-09-28T21:09:33.225Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:09:33.225Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--78972893-5d8c-480f-a05d-481adc0c8bb0.json b/ics-attack/relationship/relationship--78972893-5d8c-480f-a05d-481adc0c8bb0.json index 3bda38657a..d3bb615586 100644 --- a/ics-attack/relationship/relationship--78972893-5d8c-480f-a05d-481adc0c8bb0.json +++ b/ics-attack/relationship/relationship--78972893-5d8c-480f-a05d-481adc0c8bb0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9193d25c-0668-4176-9033-9d3f659fc5ed", + "id": "bundle--bb885c7b-753c-4532-8475-3b8b2035178d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7912946d-1605-465a-a55c-36bb104235ab.json b/ics-attack/relationship/relationship--7912946d-1605-465a-a55c-36bb104235ab.json index a5f266d251..2f730c4be2 100644 --- a/ics-attack/relationship/relationship--7912946d-1605-465a-a55c-36bb104235ab.json +++ b/ics-attack/relationship/relationship--7912946d-1605-465a-a55c-36bb104235ab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aac2da88-3baf-4957-a5f3-d0e017f5483d", + "id": "bundle--8a38b2a0-b12d-4eca-8412-e59cf770ffdc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--792324b4-064a-430c-8ffc-7f7acd537778.json b/ics-attack/relationship/relationship--792324b4-064a-430c-8ffc-7f7acd537778.json index 1db3b3863d..2111ca7afc 100644 --- a/ics-attack/relationship/relationship--792324b4-064a-430c-8ffc-7f7acd537778.json +++ b/ics-attack/relationship/relationship--792324b4-064a-430c-8ffc-7f7acd537778.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--997071ad-8f7a-41c1-bda8-edc033642c1c", + "id": "bundle--707bd073-ba02-4f20-8ee0-99824bfa65cf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--79235599-e23f-43cb-9c56-1eb22b7c4664.json b/ics-attack/relationship/relationship--79235599-e23f-43cb-9c56-1eb22b7c4664.json new file mode 100644 index 0000000000..34c57916b3 --- /dev/null +++ b/ics-attack/relationship/relationship--79235599-e23f-43cb-9c56-1eb22b7c4664.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--71f55463-7186-4f33-af99-2fe2622227b3", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--79235599-e23f-43cb-9c56-1eb22b7c4664", + "created": "2023-09-29T16:38:38.201Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:38:38.201Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--79324bdd-cdab-4d0a-af60-af1047c1d117.json b/ics-attack/relationship/relationship--79324bdd-cdab-4d0a-af60-af1047c1d117.json index c0b3f9ebe4..52286789bf 100644 --- a/ics-attack/relationship/relationship--79324bdd-cdab-4d0a-af60-af1047c1d117.json +++ b/ics-attack/relationship/relationship--79324bdd-cdab-4d0a-af60-af1047c1d117.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--342003f4-1841-47fd-a4dd-b4ef8cd32eb3", + "id": "bundle--8fecc185-5645-4f13-8b30-7f85bd797978", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--79407d1e-8e16-48c1-939c-ad92f91dd988.json b/ics-attack/relationship/relationship--79407d1e-8e16-48c1-939c-ad92f91dd988.json new file mode 100644 index 0000000000..a5bad27b82 --- /dev/null +++ b/ics-attack/relationship/relationship--79407d1e-8e16-48c1-939c-ad92f91dd988.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--94fff468-f9ff-404b-b26f-5569202ff440", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--79407d1e-8e16-48c1-939c-ad92f91dd988", + "created": "2023-09-29T16:30:19.141Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:30:19.141Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--798919d3-df8b-463f-b2be-4c1aa8089384.json b/ics-attack/relationship/relationship--798919d3-df8b-463f-b2be-4c1aa8089384.json index 29c21ad8e1..e0a9a8c51f 100644 --- a/ics-attack/relationship/relationship--798919d3-df8b-463f-b2be-4c1aa8089384.json +++ b/ics-attack/relationship/relationship--798919d3-df8b-463f-b2be-4c1aa8089384.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e985acc3-cbd3-4846-b35d-99ec76c250f3", + "id": "bundle--16478061-5c4b-4c09-a361-be5ed3a9c08e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--798de2f3-218b-4622-a62c-84e3840d45a6.json b/ics-attack/relationship/relationship--798de2f3-218b-4622-a62c-84e3840d45a6.json new file mode 100644 index 0000000000..1b94e365a2 --- /dev/null +++ b/ics-attack/relationship/relationship--798de2f3-218b-4622-a62c-84e3840d45a6.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--11f41d9c-14fb-44ea-bae1-9d9247eebc6c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--798de2f3-218b-4622-a62c-84e3840d45a6", + "created": "2023-09-29T18:00:10.845Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:00:10.845Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19.json b/ics-attack/relationship/relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19.json new file mode 100644 index 0000000000..26d7e96d3b --- /dev/null +++ b/ics-attack/relationship/relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--7f942182-d819-4abd-adc4-e825c730cf45", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--79c6d710-baf4-411e-a3f5-9cb8d42b7c19", + "created": "2023-09-29T16:32:22.510Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:32:22.510Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--79d05cb2-ded0-4847-b52e-af7af421f303.json b/ics-attack/relationship/relationship--79d05cb2-ded0-4847-b52e-af7af421f303.json index 2547b867c9..e3909e045d 100644 --- a/ics-attack/relationship/relationship--79d05cb2-ded0-4847-b52e-af7af421f303.json +++ b/ics-attack/relationship/relationship--79d05cb2-ded0-4847-b52e-af7af421f303.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--95047f7d-a865-4ba0-a958-f73d9121e7f1", + "id": "bundle--d3f50014-cd01-44bb-8489-0f9f4bd5d25b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4.json b/ics-attack/relationship/relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4.json index ccd445e555..5a9126864a 100644 --- a/ics-attack/relationship/relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4.json +++ b/ics-attack/relationship/relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--71c735b9-db1d-43bb-9ce6-b6f6c06b4f3d", + "id": "bundle--d0b648e9-2b17-40a7-b6c9-0bd8c97a25b9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json b/ics-attack/relationship/relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json index 18d6e49839..4e0d44b577 100644 --- a/ics-attack/relationship/relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json +++ b/ics-attack/relationship/relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--92dc1837-cd56-4d85-8f86-4326896e340f", + "id": "bundle--399052c2-5514-407e-b7ec-93483fd461aa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978.json b/ics-attack/relationship/relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978.json index 64475704b9..7b8af45113 100644 --- a/ics-attack/relationship/relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978.json +++ b/ics-attack/relationship/relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3cc2f798-f8e0-4acb-9482-2d713e10075c", + "id": "bundle--3e472bb2-2dcb-4578-945f-951b6a8cdeeb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669.json b/ics-attack/relationship/relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669.json index 6023e9e02b..8bec3b9dc9 100644 --- a/ics-attack/relationship/relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669.json +++ b/ics-attack/relationship/relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ba229f88-2fc9-485f-96af-5917c803ad08", + "id": "bundle--a7cc0af6-2463-4481-b067-ff929dabcfaf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0.json b/ics-attack/relationship/relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0.json new file mode 100644 index 0000000000..6092d081cc --- /dev/null +++ b/ics-attack/relationship/relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e1c4028c-1526-4e67-87a6-23997efd49c0", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7b1e00af-11fb-4862-a193-55dc9b6652c0", + "created": "2023-09-29T16:33:23.456Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:33:23.456Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780.json b/ics-attack/relationship/relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780.json new file mode 100644 index 0000000000..b35666bbe5 --- /dev/null +++ b/ics-attack/relationship/relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--67f3f173-6b5d-4170-9e77-a7118d1ee3fa", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7b814e39-71fc-4e99-b46f-b24eca6cc780", + "created": "2023-09-28T19:45:42.727Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:45:42.727Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b.json b/ics-attack/relationship/relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b.json new file mode 100644 index 0000000000..69984d03cd --- /dev/null +++ b/ics-attack/relationship/relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4d7002df-fbac-4c51-983f-db87b31237b8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7b95b2aa-9561-494f-8e02-d36edc14e38b", + "created": "2023-09-29T17:39:54.089Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:39:54.089Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7bb1dbec-7314-479a-9496-86f8e25041eb.json b/ics-attack/relationship/relationship--7bb1dbec-7314-479a-9496-86f8e25041eb.json new file mode 100644 index 0000000000..41a58c4206 --- /dev/null +++ b/ics-attack/relationship/relationship--7bb1dbec-7314-479a-9496-86f8e25041eb.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--9ea97ff3-8d38-45da-83c3-e68f1886865a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7bb1dbec-7314-479a-9496-86f8e25041eb", + "created": "2023-09-29T16:40:43.415Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:40:43.416Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07.json b/ics-attack/relationship/relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07.json new file mode 100644 index 0000000000..48b3a47693 --- /dev/null +++ b/ics-attack/relationship/relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--7f01caff-2976-44ff-923d-fa54e34112f8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7bbe6ac7-d0fb-40e4-8537-bdded7173f07", + "created": "2023-09-29T18:49:01.768Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:49:01.768Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84.json b/ics-attack/relationship/relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84.json new file mode 100644 index 0000000000..3fbe6896d1 --- /dev/null +++ b/ics-attack/relationship/relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d406bf6c-683f-45a2-a53c-4f4ef336c19f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7bd46875-7d59-4d65-8f9b-d48d3cb54a84", + "created": "2023-09-28T20:07:15.553Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:07:15.553Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07.json b/ics-attack/relationship/relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07.json index 9a264847df..fe31638007 100644 --- a/ics-attack/relationship/relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07.json +++ b/ics-attack/relationship/relationship--7bd6e5e4-6614-41ed-8a84-8eb633a91e07.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bb2c7fce-77f8-47a7-9a6c-187fa53b5545", + "id": "bundle--fb4027d0-7f3c-4acc-bc63-f3fe42c32a46", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea.json b/ics-attack/relationship/relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea.json new file mode 100644 index 0000000000..8fc2d8af79 --- /dev/null +++ b/ics-attack/relationship/relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--76cadede-cd4a-4ed5-b15a-abedad79c1b5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7be2d11d-87be-4d1c-8f5b-b7e59ad191ea", + "created": "2023-09-28T20:07:01.309Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:07:01.309Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json b/ics-attack/relationship/relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json index 0046445a0b..2e9c26f6cb 100644 --- a/ics-attack/relationship/relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json +++ b/ics-attack/relationship/relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fcda7843-f885-4488-815a-5cbc269f6acb", + "id": "bundle--2e37f766-8345-401b-8c9b-9e1963416336", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c.json b/ics-attack/relationship/relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c.json index 0b6a65dc00..119f27f2a5 100644 --- a/ics-attack/relationship/relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c.json +++ b/ics-attack/relationship/relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--facac353-e278-407a-8f7d-3327dbe71637", + "id": "bundle--e4c640d6-49d8-4864-9a97-652814e37a64", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json b/ics-attack/relationship/relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json index 02cb56ec4f..72eb661c4c 100644 --- a/ics-attack/relationship/relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json +++ b/ics-attack/relationship/relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a5e0d3f7-1c98-40d3-a2d6-ce8f2bd5a3ee", + "id": "bundle--ab13d7e5-21d4-438f-bc21-70ef533b99a8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd.json b/ics-attack/relationship/relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd.json index 9ec3a8156e..6632e4caa9 100644 --- a/ics-attack/relationship/relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd.json +++ b/ics-attack/relationship/relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--607108ab-921d-4dc9-96cc-576510129862", + "id": "bundle--1ef78751-2b3b-48da-b17f-281cad1258f7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7c329018-b591-42c4-8806-4d02ccd47476.json b/ics-attack/relationship/relationship--7c329018-b591-42c4-8806-4d02ccd47476.json index 8b150964f2..0b10e57f64 100644 --- a/ics-attack/relationship/relationship--7c329018-b591-42c4-8806-4d02ccd47476.json +++ b/ics-attack/relationship/relationship--7c329018-b591-42c4-8806-4d02ccd47476.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6d12dc53-7a63-450f-a470-ca728c22195e", + "id": "bundle--61f94778-1455-4c3b-a7f4-adbea8168e87", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json b/ics-attack/relationship/relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json index aa9017af9e..6580e272fd 100644 --- a/ics-attack/relationship/relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json +++ b/ics-attack/relationship/relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0508a22e-3a28-4996-802e-c7879429a50b", + "id": "bundle--575cbab9-8cac-4293-bcb1-3512b52b2d9b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23.json b/ics-attack/relationship/relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23.json new file mode 100644 index 0000000000..6938227b2f --- /dev/null +++ b/ics-attack/relationship/relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--843d4790-a583-4b18-b248-59bdbf5c33f4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7c433b29-0ad3-4574-990f-e3d6291e7f23", + "created": "2023-09-29T18:48:29.126Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:48:29.126Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95.json b/ics-attack/relationship/relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95.json index 42392b50bc..d31609a718 100644 --- a/ics-attack/relationship/relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95.json +++ b/ics-attack/relationship/relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2d5e1f03-54c5-4ca4-8632-4f032c3725e9", + "id": "bundle--a4f62413-7232-4e9e-94ac-637dbd184514", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7c893581-c847-495a-aa93-9d98c516e1ae.json b/ics-attack/relationship/relationship--7c893581-c847-495a-aa93-9d98c516e1ae.json index f46117ebd3..a4c9dcb618 100644 --- a/ics-attack/relationship/relationship--7c893581-c847-495a-aa93-9d98c516e1ae.json +++ b/ics-attack/relationship/relationship--7c893581-c847-495a-aa93-9d98c516e1ae.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--96d3c10b-3f6f-4ee9-83b5-c0f789ffa701", + "id": "bundle--1f5cee09-b6b2-4dcc-9c33-569ae863aecf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1.json b/ics-attack/relationship/relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1.json index 0c47c2e4e5..f52eaa8fa0 100644 --- a/ics-attack/relationship/relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1.json +++ b/ics-attack/relationship/relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--69a1d17f-68f3-4596-a419-5b49f381b30f", + "id": "bundle--81ed981a-3d96-48b2-8afb-1b5ac20f66cf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7d2db896-3051-483c-bc53-ca21832ee085.json b/ics-attack/relationship/relationship--7d2db896-3051-483c-bc53-ca21832ee085.json index d114bb9b45..ff25b41628 100644 --- a/ics-attack/relationship/relationship--7d2db896-3051-483c-bc53-ca21832ee085.json +++ b/ics-attack/relationship/relationship--7d2db896-3051-483c-bc53-ca21832ee085.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--37fc56fe-552a-4dcb-abba-2eda67ca2f35", + "id": "bundle--348d41c6-c9af-4b57-a057-4d36a5373216", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835.json b/ics-attack/relationship/relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835.json index 328354b6d4..14aaa8a986 100644 --- a/ics-attack/relationship/relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835.json +++ b/ics-attack/relationship/relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dd161521-0c76-4051-b616-d49ef74a6769", + "id": "bundle--7d83927a-4d43-4c64-abe3-9cf8ce7a9324", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7d42ba22-9595-4463-8dda-c0e47a154fed.json b/ics-attack/relationship/relationship--7d42ba22-9595-4463-8dda-c0e47a154fed.json new file mode 100644 index 0000000000..4a7911922e --- /dev/null +++ b/ics-attack/relationship/relationship--7d42ba22-9595-4463-8dda-c0e47a154fed.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f035424c-7f29-4550-8f7b-71a1d408a66e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7d42ba22-9595-4463-8dda-c0e47a154fed", + "created": "2023-09-28T20:07:48.301Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:07:48.301Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7d5759cd-890e-4ec5-b92b-aba225d52960.json b/ics-attack/relationship/relationship--7d5759cd-890e-4ec5-b92b-aba225d52960.json index cf3f281283..9def4eab42 100644 --- a/ics-attack/relationship/relationship--7d5759cd-890e-4ec5-b92b-aba225d52960.json +++ b/ics-attack/relationship/relationship--7d5759cd-890e-4ec5-b92b-aba225d52960.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bbc53871-ef02-496c-a3ae-00bfbcc03d74", + "id": "bundle--eaab264c-920a-4f08-b3d1-09f8cc4d2aa8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105.json b/ics-attack/relationship/relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105.json index e8a35c0eac..13f81c1e7f 100644 --- a/ics-attack/relationship/relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105.json +++ b/ics-attack/relationship/relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d28fd93b-3b78-47f0-9cdf-332c645b768f", + "id": "bundle--15234034-655e-480c-9ec1-8f26227dcddc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135.json b/ics-attack/relationship/relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135.json index d5d44470b5..2097a40c29 100644 --- a/ics-attack/relationship/relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135.json +++ b/ics-attack/relationship/relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5ba4447d-ff52-489a-8348-661aaf8a7e55", + "id": "bundle--6644d1fa-e42f-49b9-a796-8692e2e34ac8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7d752615-33f0-44ed-a156-25d84f384e75.json b/ics-attack/relationship/relationship--7d752615-33f0-44ed-a156-25d84f384e75.json new file mode 100644 index 0000000000..a56960d190 --- /dev/null +++ b/ics-attack/relationship/relationship--7d752615-33f0-44ed-a156-25d84f384e75.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--5d796967-01c0-4276-ba28-043d68889c91", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7d752615-33f0-44ed-a156-25d84f384e75", + "created": "2023-09-27T14:57:11.627Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.261Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), power company phone line operators were hit with a denial of service attack so that they couldn\u2019t field customers\u2019 calls about outages. Operators were also denied service to their downstream devices when their serial-to-ethernet converters had their firmware overwritten, which bricked the devices. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1.json b/ics-attack/relationship/relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1.json index 4e19065cf9..53a0f519ca 100644 --- a/ics-attack/relationship/relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1.json +++ b/ics-attack/relationship/relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--51b23d35-b80f-4f3a-b51e-f89463464fe8", + "id": "bundle--06a5ccdd-2878-4bea-ac31-dfd4522d5c2c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7db9687b-7099-4cb6-a040-bc32fc549a81.json b/ics-attack/relationship/relationship--7db9687b-7099-4cb6-a040-bc32fc549a81.json index 402f0aa700..41eb071159 100644 --- a/ics-attack/relationship/relationship--7db9687b-7099-4cb6-a040-bc32fc549a81.json +++ b/ics-attack/relationship/relationship--7db9687b-7099-4cb6-a040-bc32fc549a81.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--63ad437c-e4ef-4458-8aed-9a7f75bf57b0", + "id": "bundle--80b3dad3-bb19-4515-935d-1aee4d8ad800", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7dedeb73-ef90-4282-a635-cc37326773af.json b/ics-attack/relationship/relationship--7dedeb73-ef90-4282-a635-cc37326773af.json index 4652429aab..565f000678 100644 --- a/ics-attack/relationship/relationship--7dedeb73-ef90-4282-a635-cc37326773af.json +++ b/ics-attack/relationship/relationship--7dedeb73-ef90-4282-a635-cc37326773af.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--217a5ee2-a324-4968-ab08-6ed7d9ef646d", + "id": "bundle--495c48a3-151c-44bb-bc35-dd6a2fc14dd0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7e87ce08-a428-4e55-876e-80d2760121a5.json b/ics-attack/relationship/relationship--7e87ce08-a428-4e55-876e-80d2760121a5.json index b0638dd2bd..8201e11f26 100644 --- a/ics-attack/relationship/relationship--7e87ce08-a428-4e55-876e-80d2760121a5.json +++ b/ics-attack/relationship/relationship--7e87ce08-a428-4e55-876e-80d2760121a5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f0613fae-d70d-4638-9489-040dba7077a3", + "id": "bundle--d1c45461-35c0-43be-aeba-e0ab12d167a0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858.json b/ics-attack/relationship/relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858.json new file mode 100644 index 0000000000..e0a476749e --- /dev/null +++ b/ics-attack/relationship/relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--6211c5b8-ce6e-420f-ad8e-342f84c8fa24", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7ebee5d3-ce7f-436c-8b4a-087363d6b858", + "created": "2023-09-29T16:32:46.335Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:32:46.335Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706.json b/ics-attack/relationship/relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706.json new file mode 100644 index 0000000000..2012eca32d --- /dev/null +++ b/ics-attack/relationship/relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1310bc88-7ac3-4e20-b0ca-f9dfd433ccb4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7ed1ad67-942a-424e-ad81-8b69a4f0c706", + "created": "2023-09-28T20:28:16.122Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:28:16.122Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7.json b/ics-attack/relationship/relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7.json new file mode 100644 index 0000000000..973aaf37cd --- /dev/null +++ b/ics-attack/relationship/relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--98d4872f-a86f-4045-b318-854590f25202", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--7efa1a31-da21-4925-aab0-96a012d5b2a7", + "created": "2023-09-29T17:43:22.756Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:43:22.756Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec.json b/ics-attack/relationship/relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec.json index f8bd2a2ae1..ff6edb0a6c 100644 --- a/ics-attack/relationship/relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec.json +++ b/ics-attack/relationship/relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--43012dab-d57f-4738-ba9d-28779ef1c83a", + "id": "bundle--14455b10-40a2-4940-bcfc-d091c334bead", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3.json b/ics-attack/relationship/relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3.json index ec2d4ac839..a8dcc48ff6 100644 --- a/ics-attack/relationship/relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3.json +++ b/ics-attack/relationship/relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1ee667fc-000b-4cd2-9214-841f6554950c", + "id": "bundle--a28070bb-9395-42f3-ae65-728811e7fe25", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5.json b/ics-attack/relationship/relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5.json index 19d592c166..12e627966c 100644 --- a/ics-attack/relationship/relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5.json +++ b/ics-attack/relationship/relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6d18e003-dd2f-40f4-a631-5b8041453d4e", + "id": "bundle--a0656b50-2b0a-480d-9d09-8f3ce1607225", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451.json b/ics-attack/relationship/relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451.json index 594094f66a..6bdbfcaa4d 100644 --- a/ics-attack/relationship/relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451.json +++ b/ics-attack/relationship/relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a043c32d-69eb-4987-bfda-cdd8e792b3ed", + "id": "bundle--6f85cbf1-8f8d-4950-a2a4-9bd5c8ab9c74", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json b/ics-attack/relationship/relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json index 47f09bb3b3..6e6c7c60c4 100644 --- a/ics-attack/relationship/relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json +++ b/ics-attack/relationship/relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6701e8dc-abfe-457e-8ddc-90509705cdbe", + "id": "bundle--10e421f0-4396-41a1-9278-d34a06991f8c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c.json b/ics-attack/relationship/relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c.json index cfb7d02c57..79aa95503e 100644 --- a/ics-attack/relationship/relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c.json +++ b/ics-attack/relationship/relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5f611c9a-1fa3-4a59-8365-f9e7cade0e4c", + "id": "bundle--2bcc15c3-5013-4193-9383-03ca1c469e5a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a.json b/ics-attack/relationship/relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a.json index 60954de1db..fc23bba59d 100644 --- a/ics-attack/relationship/relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a.json +++ b/ics-attack/relationship/relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fc99ba61-21d9-4b1e-945a-0113a646973f", + "id": "bundle--06ebd367-3e2a-44a0-a3fd-9b2a9146f049", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--80a69b56-337d-446a-8167-8b9f63083c4f.json b/ics-attack/relationship/relationship--80a69b56-337d-446a-8167-8b9f63083c4f.json index bdf588425b..a29acf593a 100644 --- a/ics-attack/relationship/relationship--80a69b56-337d-446a-8167-8b9f63083c4f.json +++ b/ics-attack/relationship/relationship--80a69b56-337d-446a-8167-8b9f63083c4f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--53b61887-1141-4d08-98ce-7e3965b43241", + "id": "bundle--122af8e3-5559-4784-a223-9b60178ef70c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--81055366-e78b-40e0-a799-4b536ba03db3.json b/ics-attack/relationship/relationship--81055366-e78b-40e0-a799-4b536ba03db3.json new file mode 100644 index 0000000000..ddfa4c61ee --- /dev/null +++ b/ics-attack/relationship/relationship--81055366-e78b-40e0-a799-4b536ba03db3.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--9840ad03-f880-4c0a-a118-9e7edba25acd", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--81055366-e78b-40e0-a799-4b536ba03db3", + "created": "2023-09-29T18:45:22.474Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:45:22.474Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--81117328-e2bb-431c-a1ca-6ba7e6816637.json b/ics-attack/relationship/relationship--81117328-e2bb-431c-a1ca-6ba7e6816637.json index 6c2e8374c3..cbfed47b64 100644 --- a/ics-attack/relationship/relationship--81117328-e2bb-431c-a1ca-6ba7e6816637.json +++ b/ics-attack/relationship/relationship--81117328-e2bb-431c-a1ca-6ba7e6816637.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4e439e2f-ad1b-4068-b233-11821e2ee14b", + "id": "bundle--fa85485e-b301-42fa-ab0f-d5ae066f5fc3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6.json b/ics-attack/relationship/relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6.json new file mode 100644 index 0000000000..0b7455b196 --- /dev/null +++ b/ics-attack/relationship/relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--bfc20d80-338e-4d7a-ace8-d00b1b33b5fa", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--817ae105-3ddf-4766-9d26-ca1ec3c64eb6", + "created": "2023-09-28T20:11:42.579Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:11:42.579Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--81806f43-c9aa-486e-8032-4e4665ba0d39.json b/ics-attack/relationship/relationship--81806f43-c9aa-486e-8032-4e4665ba0d39.json new file mode 100644 index 0000000000..0f66a2cee8 --- /dev/null +++ b/ics-attack/relationship/relationship--81806f43-c9aa-486e-8032-4e4665ba0d39.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f01d26e0-44c6-4e61-aa87-ce7115bb5c46", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--81806f43-c9aa-486e-8032-4e4665ba0d39", + "created": "2023-09-29T18:43:13.760Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:43:13.760Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32.json b/ics-attack/relationship/relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32.json new file mode 100644 index 0000000000..a803249d22 --- /dev/null +++ b/ics-attack/relationship/relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--06da3b6e-20e4-426d-b9fe-c4156e8e4703", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--818ce9d0-8fc2-4a34-a062-f0e6995bdf32", + "created": "2023-09-28T21:13:00.330Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:13:00.330Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--81add433-49d8-43ec-85d5-f48fe80e56e7.json b/ics-attack/relationship/relationship--81add433-49d8-43ec-85d5-f48fe80e56e7.json index e932e4fbd9..ba0c1f1e05 100644 --- a/ics-attack/relationship/relationship--81add433-49d8-43ec-85d5-f48fe80e56e7.json +++ b/ics-attack/relationship/relationship--81add433-49d8-43ec-85d5-f48fe80e56e7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c0c81ddf-0f34-464f-9872-392c7b97973c", + "id": "bundle--f316b386-6854-4bcf-a582-c38e63fb18c7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--81ca994a-b350-424d-8f39-a0b64aa76260.json b/ics-attack/relationship/relationship--81ca994a-b350-424d-8f39-a0b64aa76260.json index 9f1ec24594..9c7dc2a81b 100644 --- a/ics-attack/relationship/relationship--81ca994a-b350-424d-8f39-a0b64aa76260.json +++ b/ics-attack/relationship/relationship--81ca994a-b350-424d-8f39-a0b64aa76260.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--58393311-acfa-48d0-820b-2d24c02d218f", + "id": "bundle--de46ad37-0c9a-46ea-8e06-2651d0938d0c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--82b20c35-88c6-49aa-8241-a59512b17b74.json b/ics-attack/relationship/relationship--82b20c35-88c6-49aa-8241-a59512b17b74.json index e26d1d9369..fad6bb837e 100644 --- a/ics-attack/relationship/relationship--82b20c35-88c6-49aa-8241-a59512b17b74.json +++ b/ics-attack/relationship/relationship--82b20c35-88c6-49aa-8241-a59512b17b74.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1471fa98-ca48-4bf8-9b8e-d17f53438b56", + "id": "bundle--658bca45-6d4b-4c64-8630-7096472c4c94", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409.json b/ics-attack/relationship/relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409.json index fc151df591..b73a2d4b42 100644 --- a/ics-attack/relationship/relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409.json +++ b/ics-attack/relationship/relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e8f8a67e-1e18-4cbb-94f1-00a475d8ab73", + "id": "bundle--0d319e84-cf73-4c93-a0df-11fbea732291", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--83a964cb-730c-44e4-859b-b5246159396b.json b/ics-attack/relationship/relationship--83a964cb-730c-44e4-859b-b5246159396b.json new file mode 100644 index 0000000000..09cef53ffa --- /dev/null +++ b/ics-attack/relationship/relationship--83a964cb-730c-44e4-859b-b5246159396b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f3f190a3-4fd4-4632-82d7-0875b0359fde", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--83a964cb-730c-44e4-859b-b5246159396b", + "created": "2023-09-29T17:59:43.275Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:59:43.275Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--83c29179-4805-403a-acf5-5151c4d2e556.json b/ics-attack/relationship/relationship--83c29179-4805-403a-acf5-5151c4d2e556.json index 9a9d1ea386..9cfbd75bd0 100644 --- a/ics-attack/relationship/relationship--83c29179-4805-403a-acf5-5151c4d2e556.json +++ b/ics-attack/relationship/relationship--83c29179-4805-403a-acf5-5151c4d2e556.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fd797644-18d3-46b9-95c3-c85716e51f63", + "id": "bundle--b4bb4fc3-8423-4ff4-b18c-fc26aea7f579", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--83c8c216-7ff7-4bd3-9db4-573469628d95.json b/ics-attack/relationship/relationship--83c8c216-7ff7-4bd3-9db4-573469628d95.json index d62c8731ff..484bc9ea1a 100644 --- a/ics-attack/relationship/relationship--83c8c216-7ff7-4bd3-9db4-573469628d95.json +++ b/ics-attack/relationship/relationship--83c8c216-7ff7-4bd3-9db4-573469628d95.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4117dc55-4e15-4f70-a67b-4d3ac4ac024c", + "id": "bundle--15b49fc8-4fdd-44fd-a3c8-9a241c476a84", "spec_version": "2.0", "objects": [ { @@ -19,14 +19,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-23T18:48:43.457Z", - "description": "The [Industroyer](https://attack.mitre.org/software/S0604) SPIROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SPIROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission. (Citation: Joe Slowik August 2019)", + "modified": "2023-09-25T14:53:48.947Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SIPROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission. (Citation: Joe Slowik August 2019)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "x_mitre_deprecated": false, "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] diff --git a/ics-attack/relationship/relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a.json b/ics-attack/relationship/relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a.json index c9a4c06acf..8095842ac2 100644 --- a/ics-attack/relationship/relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a.json +++ b/ics-attack/relationship/relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--90cec361-1955-4dc1-ab6b-29ea4346a1f8", + "id": "bundle--48de86bc-a3e5-4588-a873-d278bf700e20", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9.json b/ics-attack/relationship/relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9.json index 6380746936..3fc498cf39 100644 --- a/ics-attack/relationship/relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9.json +++ b/ics-attack/relationship/relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--08b4ed6f-232d-45a4-8bdb-73f6a4a4eb49", + "id": "bundle--6b27d841-c7e9-468c-a3a5-4d88aa543925", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48.json b/ics-attack/relationship/relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48.json index 5415353358..f71809fcba 100644 --- a/ics-attack/relationship/relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48.json +++ b/ics-attack/relationship/relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8ef0ba90-71ee-495b-8794-9ca23cfd60b4", + "id": "bundle--2f2e911f-8204-4c96-9cf3-59a57a9b78a5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--84671396-a556-4a5d-9bb9-cac697277371.json b/ics-attack/relationship/relationship--84671396-a556-4a5d-9bb9-cac697277371.json new file mode 100644 index 0000000000..5a11360b66 --- /dev/null +++ b/ics-attack/relationship/relationship--84671396-a556-4a5d-9bb9-cac697277371.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--073a62bf-f124-43f9-a626-78981b4f97d0", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--84671396-a556-4a5d-9bb9-cac697277371", + "created": "2023-09-29T16:31:12.255Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:31:12.255Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65.json b/ics-attack/relationship/relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65.json new file mode 100644 index 0000000000..00cbda06e8 --- /dev/null +++ b/ics-attack/relationship/relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--80404c77-2409-4a71-82e6-b774b3a1e6f7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8474e6ef-39c4-4ecc-ba5a-cbd9b32b5c65", + "created": "2023-09-28T21:11:15.610Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:11:15.610Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--84e535be-960a-450a-91f9-4dc8c5e3f69d.json b/ics-attack/relationship/relationship--84e535be-960a-450a-91f9-4dc8c5e3f69d.json deleted file mode 100644 index 18698c70a4..0000000000 --- a/ics-attack/relationship/relationship--84e535be-960a-450a-91f9-4dc8c5e3f69d.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--8c974b08-7fe5-4cf8-8a99-c2a564bd352b", - "spec_version": "2.0", - "objects": [ - { - "type": "relationship", - "id": "relationship--84e535be-960a-450a-91f9-4dc8c5e3f69d", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:56:37.468Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized HMI GUIs in the SCADA environment to open breakers. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - } - ] -} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--84fa50ff-bb84-4ab6-b759-658c57532c42.json b/ics-attack/relationship/relationship--84fa50ff-bb84-4ab6-b759-658c57532c42.json new file mode 100644 index 0000000000..df1b1fcb54 --- /dev/null +++ b/ics-attack/relationship/relationship--84fa50ff-bb84-4ab6-b759-658c57532c42.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4b02928b-c2d5-4b33-b65a-3fc44b94ff50", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--84fa50ff-bb84-4ab6-b759-658c57532c42", + "created": "2023-09-29T16:32:09.319Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:32:09.319Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7.json b/ics-attack/relationship/relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7.json new file mode 100644 index 0000000000..34189edaa3 --- /dev/null +++ b/ics-attack/relationship/relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a4993d21-275b-4105-8f10-f61d9a56f6be", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--84fd1e14-44a8-4eac-9bfc-67b50ea1acf7", + "created": "2023-09-29T18:01:32.878Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:01:32.878Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75.json b/ics-attack/relationship/relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75.json new file mode 100644 index 0000000000..5fb66e5262 --- /dev/null +++ b/ics-attack/relationship/relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--12663579-3224-447a-a140-7189eb34d085", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8530c1ea-fe9f-4b04-be34-7404d5e30e75", + "created": "2023-09-29T17:59:22.291Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:59:22.291Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--868db512-b897-4a54-ae56-ac78f6c93a14.json b/ics-attack/relationship/relationship--868db512-b897-4a54-ae56-ac78f6c93a14.json index 42601b9d81..7572a5a99a 100644 --- a/ics-attack/relationship/relationship--868db512-b897-4a54-ae56-ac78f6c93a14.json +++ b/ics-attack/relationship/relationship--868db512-b897-4a54-ae56-ac78f6c93a14.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f42617d1-964f-4d22-ac9a-cb8d0552fecc", + "id": "bundle--b25f712c-6204-461a-8eff-d81d691848e2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc.json b/ics-attack/relationship/relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc.json new file mode 100644 index 0000000000..59fb084c9d --- /dev/null +++ b/ics-attack/relationship/relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--7298aa56-a662-42a5-9df9-2640c43882a6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--86a8d6aa-beff-4343-a0b2-dd099202b2dc", + "created": "2023-09-28T19:58:13.866Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:58:13.866Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72.json b/ics-attack/relationship/relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72.json index 9e2d1ce135..b093925017 100644 --- a/ics-attack/relationship/relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72.json +++ b/ics-attack/relationship/relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1a4823b8-1fed-471e-aa94-ad54ea7b06d6", + "id": "bundle--7f2c418f-8971-474f-8eca-06ba94157406", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--86c94552-de59-453d-ac06-28a6a64db930.json b/ics-attack/relationship/relationship--86c94552-de59-453d-ac06-28a6a64db930.json index 1403245090..42255bc4c3 100644 --- a/ics-attack/relationship/relationship--86c94552-de59-453d-ac06-28a6a64db930.json +++ b/ics-attack/relationship/relationship--86c94552-de59-453d-ac06-28a6a64db930.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b30c59d0-3757-4183-9bf4-8ed3def98959", + "id": "bundle--2e1aebff-5f14-48b9-97ae-c52fb4963fd1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b.json b/ics-attack/relationship/relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b.json index 840efa16e0..8c6bce680e 100644 --- a/ics-attack/relationship/relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b.json +++ b/ics-attack/relationship/relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ffe2e404-b942-4639-b674-e585d6f1a227", + "id": "bundle--eb6abd15-eaa5-426a-8a0d-1ced16159f39", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c.json b/ics-attack/relationship/relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c.json new file mode 100644 index 0000000000..76742f8dac --- /dev/null +++ b/ics-attack/relationship/relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b895684d-45ae-4ae3-adee-e7b9bcda6acf", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--86e7a6d1-baa5-4a8d-9ba8-302fb0d72f9c", + "created": "2023-09-28T21:09:41.659Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:09:41.659Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97.json b/ics-attack/relationship/relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97.json index a6e21f4990..d33e46dcd4 100644 --- a/ics-attack/relationship/relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97.json +++ b/ics-attack/relationship/relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--30ecb3ac-1255-4f27-8671-4a2fe6cdf192", + "id": "bundle--c2c257a8-7ff5-4f84-9691-229d68b4362c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--86f1655a-db46-4d49-9051-6653da83eb13.json b/ics-attack/relationship/relationship--86f1655a-db46-4d49-9051-6653da83eb13.json index dd4aa013b7..8297e28bb1 100644 --- a/ics-attack/relationship/relationship--86f1655a-db46-4d49-9051-6653da83eb13.json +++ b/ics-attack/relationship/relationship--86f1655a-db46-4d49-9051-6653da83eb13.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dd232c1a-102c-417f-a967-997ce646ae2c", + "id": "bundle--22783ce2-1644-4fc2-b5cd-3d59f38033ce", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--874752f4-59a2-46e9-ae28-befe0142b223.json b/ics-attack/relationship/relationship--874752f4-59a2-46e9-ae28-befe0142b223.json index d60ea7bd60..887ff43618 100644 --- a/ics-attack/relationship/relationship--874752f4-59a2-46e9-ae28-befe0142b223.json +++ b/ics-attack/relationship/relationship--874752f4-59a2-46e9-ae28-befe0142b223.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6bcde54c-2204-4b9e-880b-fb07041f58f2", + "id": "bundle--317b14f4-2250-4f42-8cd7-828f1b091b43", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--87c8ab74-576d-4962-b641-0762d374d1e8.json b/ics-attack/relationship/relationship--87c8ab74-576d-4962-b641-0762d374d1e8.json index de5c41b2f6..f932fcf397 100644 --- a/ics-attack/relationship/relationship--87c8ab74-576d-4962-b641-0762d374d1e8.json +++ b/ics-attack/relationship/relationship--87c8ab74-576d-4962-b641-0762d374d1e8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c77004c5-4c4c-423f-bd6a-5ec8fecc02b1", + "id": "bundle--4697d7e1-8fc4-498e-ace0-69dae75a2068", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--87eb5825-c918-444f-8da5-67da9eea9906.json b/ics-attack/relationship/relationship--87eb5825-c918-444f-8da5-67da9eea9906.json index c3f7dbe7b3..3b0fb5faae 100644 --- a/ics-attack/relationship/relationship--87eb5825-c918-444f-8da5-67da9eea9906.json +++ b/ics-attack/relationship/relationship--87eb5825-c918-444f-8da5-67da9eea9906.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7f55c248-748c-4c3a-8d5e-cdaa1cd6e817", + "id": "bundle--51a21a6a-b3b6-48e8-97be-1d1eaec647f6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab.json b/ics-attack/relationship/relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab.json index 0ee78ecd1e..0d7be93fcd 100644 --- a/ics-attack/relationship/relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab.json +++ b/ics-attack/relationship/relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a5250561-d556-476c-bd08-294dea665c35", + "id": "bundle--912d86ef-f3f3-49fa-9ef0-d98f8d19eedf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce.json b/ics-attack/relationship/relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce.json index 9c9f673671..a3270a4897 100644 --- a/ics-attack/relationship/relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce.json +++ b/ics-attack/relationship/relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3a2a3e80-6446-47c3-b694-bff99af280ff", + "id": "bundle--8b75b4a7-83bc-4398-a5b4-4cba0d500a65", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2.json b/ics-attack/relationship/relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2.json new file mode 100644 index 0000000000..b2508ce115 --- /dev/null +++ b/ics-attack/relationship/relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--34d2c3b4-2811-45ac-b65d-0024deec8c22", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--88edcf36-a6f2-474f-b9c2-7800b34919a2", + "created": "2023-09-28T21:24:07.864Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:24:07.864Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--892c0bff-17b6-447b-a213-6a3189a1df82.json b/ics-attack/relationship/relationship--892c0bff-17b6-447b-a213-6a3189a1df82.json index 3b27fa0236..d622f354e6 100644 --- a/ics-attack/relationship/relationship--892c0bff-17b6-447b-a213-6a3189a1df82.json +++ b/ics-attack/relationship/relationship--892c0bff-17b6-447b-a213-6a3189a1df82.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fe2ac129-ed5c-4ee1-b290-be1bac1acff8", + "id": "bundle--816f9b95-9f3e-4013-9ba1-a2bf7d86c32a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--897cfc36-4253-4e1e-8825-726dbe9088a2.json b/ics-attack/relationship/relationship--897cfc36-4253-4e1e-8825-726dbe9088a2.json new file mode 100644 index 0000000000..394cc3155b --- /dev/null +++ b/ics-attack/relationship/relationship--897cfc36-4253-4e1e-8825-726dbe9088a2.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--dca257bc-838b-405c-b36e-0511eb905dba", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--897cfc36-4253-4e1e-8825-726dbe9088a2", + "created": "2023-09-28T19:55:02.944Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:55:02.944Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44.json b/ics-attack/relationship/relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44.json index 6cf7ebd506..6960256396 100644 --- a/ics-attack/relationship/relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44.json +++ b/ics-attack/relationship/relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e1a1cd35-0b17-4f35-af89-67168737d7c2", + "id": "bundle--9dd94b55-01c4-4c67-92bf-52565fec3ea0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd.json b/ics-attack/relationship/relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd.json index e36e1526f4..070b41dece 100644 --- a/ics-attack/relationship/relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd.json +++ b/ics-attack/relationship/relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a381de26-0ebc-4981-9719-376f53d735f6", + "id": "bundle--4373c8ca-9262-49b4-a97b-65a5ed86d7ab", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8a07f92e-9384-4967-9cd9-ffa08a0e55bf.json b/ics-attack/relationship/relationship--8a07f92e-9384-4967-9cd9-ffa08a0e55bf.json index fafd91b826..8d3dc52489 100644 --- a/ics-attack/relationship/relationship--8a07f92e-9384-4967-9cd9-ffa08a0e55bf.json +++ b/ics-attack/relationship/relationship--8a07f92e-9384-4967-9cd9-ffa08a0e55bf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--258d860e-5361-4e27-b378-461e4423a29b", + "id": "bundle--b488642f-3b25-4c71-9aae-0bbff37a0f9c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a.json b/ics-attack/relationship/relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a.json index c425afd124..2ac2336329 100644 --- a/ics-attack/relationship/relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a.json +++ b/ics-attack/relationship/relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--76f709d5-a5aa-48c7-b4af-4748cc896f38", + "id": "bundle--702532d3-39f5-4ccb-8e0a-022086573645", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108.json b/ics-attack/relationship/relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108.json new file mode 100644 index 0000000000..1401b41399 --- /dev/null +++ b/ics-attack/relationship/relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f006be99-f8b4-447c-aa50-5dd1b08eac90", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8a765743-9caf-4c8a-9c58-6fe2c1993108", + "created": "2023-09-29T16:42:43.736Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:42:43.736Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62.json b/ics-attack/relationship/relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62.json new file mode 100644 index 0000000000..d9e0681cfd --- /dev/null +++ b/ics-attack/relationship/relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--ec01f903-6f96-4be6-94c2-b3554bb95fb5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8a86ad59-dff1-46dc-8ffd-3c62b96c6e62", + "created": "2023-09-27T14:50:09.612Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-27T15:25:53.307Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) moved their tools laterally within the ICS network. (Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c.json b/ics-attack/relationship/relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c.json index 88bf7613cb..4927fe3194 100644 --- a/ics-attack/relationship/relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c.json +++ b/ics-attack/relationship/relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8281802a-5d90-43dc-a0fc-b2b4a94258f2", + "id": "bundle--600bd23c-3055-469f-9af8-d975d82b84b9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92.json b/ics-attack/relationship/relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92.json index 4ce8342490..32c70f5a3a 100644 --- a/ics-attack/relationship/relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92.json +++ b/ics-attack/relationship/relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4333d2d5-3c1b-48d1-a8ba-1826af5a7ce8", + "id": "bundle--2435a533-fe94-4729-8509-bba6916b7150", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8b17ad46-b0cc-4766-9cae-eba32260d468.json b/ics-attack/relationship/relationship--8b17ad46-b0cc-4766-9cae-eba32260d468.json index ec18310a08..948e31a534 100644 --- a/ics-attack/relationship/relationship--8b17ad46-b0cc-4766-9cae-eba32260d468.json +++ b/ics-attack/relationship/relationship--8b17ad46-b0cc-4766-9cae-eba32260d468.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--327b98e3-9293-4f01-bd2c-28e2b3485b38", + "id": "bundle--383415b2-90b6-4529-9503-971180bd1e74", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json b/ics-attack/relationship/relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json index 90e918cead..dd1bcff141 100644 --- a/ics-attack/relationship/relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json +++ b/ics-attack/relationship/relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7e346c41-b4b8-49ad-9cbe-d7f5c1d1a492", + "id": "bundle--ac73f151-adcb-435b-9598-43ad2f3432d0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8b491011-322d-4e0b-8f79-449e1b2ee185.json b/ics-attack/relationship/relationship--8b491011-322d-4e0b-8f79-449e1b2ee185.json index bdd1b109cd..7bdfc26c72 100644 --- a/ics-attack/relationship/relationship--8b491011-322d-4e0b-8f79-449e1b2ee185.json +++ b/ics-attack/relationship/relationship--8b491011-322d-4e0b-8f79-449e1b2ee185.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e92c4ab8-80e2-4b5c-b051-69ef7e563715", + "id": "bundle--eea8460b-f09a-438f-bc0d-5de44b4bcf55", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f.json b/ics-attack/relationship/relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f.json new file mode 100644 index 0000000000..30b077ae73 --- /dev/null +++ b/ics-attack/relationship/relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--647513ec-6964-4248-8a86-520ffec13e1c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8b7403f5-90d2-4d2c-a484-87d29f419a9f", + "created": "2023-09-27T14:49:29.987Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + }, + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.263Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) scheduled the uninterruptable power supplies (UPS) to shutdown data and telephone servers via the UPS management interface. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915.json b/ics-attack/relationship/relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915.json index 1faeb2b119..04037fb089 100644 --- a/ics-attack/relationship/relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915.json +++ b/ics-attack/relationship/relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--af249e9e-a7cd-4edb-8891-c15016643f0a", + "id": "bundle--11113f72-dc16-41d9-8df0-66f708e2e97f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4.json b/ics-attack/relationship/relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4.json new file mode 100644 index 0000000000..9b81b8ae56 --- /dev/null +++ b/ics-attack/relationship/relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--fe16478d-1192-48cb-beac-a7a7f7991074", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8bfeed6a-a0c6-4f11-81b2-f32225c85ac4", + "created": "2023-10-02T20:21:16.665Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:21:16.665Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca.json b/ics-attack/relationship/relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca.json index 13852cf101..3d6de8535b 100644 --- a/ics-attack/relationship/relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca.json +++ b/ics-attack/relationship/relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--668abb6b-94d0-4dec-b450-cb0fcff318d7", + "id": "bundle--88e6496c-0611-45af-9e9f-b50b4de3d5b5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json b/ics-attack/relationship/relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json index d06c33f54f..0600d99b35 100644 --- a/ics-attack/relationship/relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json +++ b/ics-attack/relationship/relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--caa3165d-796d-48cd-b530-95ac76fcfd3f", + "id": "bundle--70190ca3-9f6f-45d3-9ce3-d6359e316ef9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95.json b/ics-attack/relationship/relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95.json new file mode 100644 index 0000000000..54deff899f --- /dev/null +++ b/ics-attack/relationship/relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e201181a-3dde-4031-add9-0815e62cb3af", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8ccd5f5c-420a-413b-81ef-5e40f401be95", + "created": "2023-09-28T20:31:46.082Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:31:46.082Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91.json b/ics-attack/relationship/relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91.json new file mode 100644 index 0000000000..5694105c5b --- /dev/null +++ b/ics-attack/relationship/relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--212e0503-b8c2-4352-85d5-72a62e2bd0c1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8d0d6365-7bc0-417d-9268-c7c31fcb0d91", + "created": "2023-09-27T14:49:48.589Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.264Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized HMI GUIs in the SCADA environment to open breakers. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7.json b/ics-attack/relationship/relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7.json new file mode 100644 index 0000000000..3773f25164 --- /dev/null +++ b/ics-attack/relationship/relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--26976f0e-4d48-4ace-a805-70cc65a91202", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8d7e2aa5-129a-4060-88ae-9fc066af13c7", + "created": "2023-09-28T21:25:20.417Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:25:20.417Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8da928a0-1c87-471f-aad7-5a1fdd438357.json b/ics-attack/relationship/relationship--8da928a0-1c87-471f-aad7-5a1fdd438357.json index fc23d8cf99..75650b7396 100644 --- a/ics-attack/relationship/relationship--8da928a0-1c87-471f-aad7-5a1fdd438357.json +++ b/ics-attack/relationship/relationship--8da928a0-1c87-471f-aad7-5a1fdd438357.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--748ce6c0-814c-4ab5-b579-79aeeec40392", + "id": "bundle--449a9fb1-edda-46a2-9bc3-40bcb67ee8a8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8.json b/ics-attack/relationship/relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8.json index 8891983c47..05c76d87b0 100644 --- a/ics-attack/relationship/relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8.json +++ b/ics-attack/relationship/relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c92fa9fa-cc20-4e5e-9d2c-33e33356bdac", + "id": "bundle--c8362994-faf2-405c-9cf6-014c6e2605f0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9.json b/ics-attack/relationship/relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9.json index 8a77260b00..8026f0e3be 100644 --- a/ics-attack/relationship/relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9.json +++ b/ics-attack/relationship/relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ace3a5b1-a2d8-424b-8e77-a5eb884c25ff", + "id": "bundle--508244e9-6a6e-4e81-9070-d54ce4b0c20e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b.json b/ics-attack/relationship/relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b.json new file mode 100644 index 0000000000..1458b87279 --- /dev/null +++ b/ics-attack/relationship/relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--2b74dc8b-a1ab-4154-99fe-509df95b1d46", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8ed7e323-578c-4a62-bf32-0bf2fefa872b", + "created": "2023-09-29T17:05:44.653Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:05:44.653Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8f0fa80a-7f8c-4c54-9277-a6f69bafd6af.json b/ics-attack/relationship/relationship--8f0fa80a-7f8c-4c54-9277-a6f69bafd6af.json index 6e79aba410..426773b7a1 100644 --- a/ics-attack/relationship/relationship--8f0fa80a-7f8c-4c54-9277-a6f69bafd6af.json +++ b/ics-attack/relationship/relationship--8f0fa80a-7f8c-4c54-9277-a6f69bafd6af.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7d16418f-0155-41d5-b10f-dbc2e002ccc6", + "id": "bundle--c914b983-0ef6-4abc-afef-3944aab4f502", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572.json b/ics-attack/relationship/relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572.json index 0a07e52780..55ebada35b 100644 --- a/ics-attack/relationship/relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572.json +++ b/ics-attack/relationship/relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0ba98633-dc0e-4000-b431-044c63b11f06", + "id": "bundle--cb2dde87-ebda-495f-a9f3-ae2a1e56c2fc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8.json b/ics-attack/relationship/relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8.json index 1ad6243ce6..a7f12458d6 100644 --- a/ics-attack/relationship/relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8.json +++ b/ics-attack/relationship/relationship--8f7ccb2b-de2a-4a5c-9f1e-d5e58e69efa8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ce5290c0-8373-47bc-b98e-498ce56edcc9", + "id": "bundle--329f8eb3-c5d0-4832-9910-6af84d6d044c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8f90363e-2825-4178-807f-9268a28760fa.json b/ics-attack/relationship/relationship--8f90363e-2825-4178-807f-9268a28760fa.json index ae6d42ea12..4c4ca05f10 100644 --- a/ics-attack/relationship/relationship--8f90363e-2825-4178-807f-9268a28760fa.json +++ b/ics-attack/relationship/relationship--8f90363e-2825-4178-807f-9268a28760fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b49c7542-4ffd-4f7f-8d87-0a36f8fa6ed3", + "id": "bundle--9b8be9a7-8727-45a7-8607-d789cd644ad9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8f947e00-2579-4120-a8b0-d466e59fac1a.json b/ics-attack/relationship/relationship--8f947e00-2579-4120-a8b0-d466e59fac1a.json new file mode 100644 index 0000000000..617ff66f88 --- /dev/null +++ b/ics-attack/relationship/relationship--8f947e00-2579-4120-a8b0-d466e59fac1a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--be58239d-d82a-425b-ba7e-19da2105344b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8f947e00-2579-4120-a8b0-d466e59fac1a", + "created": "2023-09-28T19:49:25.824Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:49:25.824Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3.json b/ics-attack/relationship/relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3.json index d6f26f1cae..9a59c536bd 100644 --- a/ics-attack/relationship/relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3.json +++ b/ics-attack/relationship/relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--165341dd-2bbb-4514-a85c-a14bbfc79221", + "id": "bundle--50d19d4f-0bd2-4a32-941e-2c8655e9aa47", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8fcecf74-36df-41ab-9476-539c9ac0b339.json b/ics-attack/relationship/relationship--8fcecf74-36df-41ab-9476-539c9ac0b339.json index 24275c2dbb..8e4bde43f5 100644 --- a/ics-attack/relationship/relationship--8fcecf74-36df-41ab-9476-539c9ac0b339.json +++ b/ics-attack/relationship/relationship--8fcecf74-36df-41ab-9476-539c9ac0b339.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--77623edb-3d1e-421f-b66e-e6017256fcf3", + "id": "bundle--91c447e1-482a-4e00-a3ed-f1669b42c1bb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb.json b/ics-attack/relationship/relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb.json new file mode 100644 index 0000000000..b7f6c1d972 --- /dev/null +++ b/ics-attack/relationship/relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--25c3fda5-dd80-41eb-ad09-85b759619984", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--8fe2bc4c-e9f7-430d-84d5-e3d603141dcb", + "created": "2023-09-29T17:04:17.682Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:04:17.682Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--90647f03-38a4-4364-a3af-53640a81360e.json b/ics-attack/relationship/relationship--90647f03-38a4-4364-a3af-53640a81360e.json index e0281d48f4..3d4b7911fc 100644 --- a/ics-attack/relationship/relationship--90647f03-38a4-4364-a3af-53640a81360e.json +++ b/ics-attack/relationship/relationship--90647f03-38a4-4364-a3af-53640a81360e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d30fd587-ee12-4be2-b8c8-bece164f091f", + "id": "bundle--aa819bd2-c361-4352-9b32-4c21c69f8358", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6.json b/ics-attack/relationship/relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6.json new file mode 100644 index 0000000000..7b30a051b9 --- /dev/null +++ b/ics-attack/relationship/relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3411c120-126d-4b7f-950d-b8f6186e56c5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--908e3fa1-e2b9-475e-b72d-06343a65a3c6", + "created": "2023-09-28T20:04:44.041Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:04:44.041Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654.json b/ics-attack/relationship/relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654.json index fa61336df9..9dde7f0bef 100644 --- a/ics-attack/relationship/relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654.json +++ b/ics-attack/relationship/relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--746dd514-112f-4ad5-81e0-0945946a86ec", + "id": "bundle--c727e8af-277f-4ab0-8a39-b6d4d205006f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--910bada1-c923-4009-a9ea-da257072f168.json b/ics-attack/relationship/relationship--910bada1-c923-4009-a9ea-da257072f168.json new file mode 100644 index 0000000000..c64ae20a6f --- /dev/null +++ b/ics-attack/relationship/relationship--910bada1-c923-4009-a9ea-da257072f168.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--5c52b563-2338-455b-ba1a-8643fc9542ad", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--910bada1-c923-4009-a9ea-da257072f168", + "created": "2023-09-29T16:29:27.902Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:29:27.902Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--91f29477-2ff6-4dbf-bf68-c8825a938851.json b/ics-attack/relationship/relationship--91f29477-2ff6-4dbf-bf68-c8825a938851.json index 758e18a719..3e5475fcab 100644 --- a/ics-attack/relationship/relationship--91f29477-2ff6-4dbf-bf68-c8825a938851.json +++ b/ics-attack/relationship/relationship--91f29477-2ff6-4dbf-bf68-c8825a938851.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--710bf02e-0112-46b6-abc3-cc3a88fc9fef", + "id": "bundle--52b00d4a-cee8-4375-9649-c26825e73402", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--92634d06-42e5-407f-bcb7-cafb1ddeafce.json b/ics-attack/relationship/relationship--92634d06-42e5-407f-bcb7-cafb1ddeafce.json index fcd9ece9f5..b9b5b8223a 100644 --- a/ics-attack/relationship/relationship--92634d06-42e5-407f-bcb7-cafb1ddeafce.json +++ b/ics-attack/relationship/relationship--92634d06-42e5-407f-bcb7-cafb1ddeafce.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--65a2d534-9f09-4034-9592-9f5751aef8aa", + "id": "bundle--5b063903-2e30-4a14-804b-044c7305c034", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json b/ics-attack/relationship/relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json index 0d4ef9ae21..ac641a445e 100644 --- a/ics-attack/relationship/relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json +++ b/ics-attack/relationship/relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2294556a-d7d5-4f97-b436-9b70056bb4cb", + "id": "bundle--12428320-2269-4cfb-9a5e-dfabb8783d61", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--92ea1c2a-3835-43de-bb56-24e937a6f322.json b/ics-attack/relationship/relationship--92ea1c2a-3835-43de-bb56-24e937a6f322.json index 64f7e24638..4a7dba46e2 100644 --- a/ics-attack/relationship/relationship--92ea1c2a-3835-43de-bb56-24e937a6f322.json +++ b/ics-attack/relationship/relationship--92ea1c2a-3835-43de-bb56-24e937a6f322.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9320605a-ef0d-4d93-8c4c-82e2dd2cd3a7", + "id": "bundle--c685b05b-01cb-4995-b84c-d1b2e7ef7e66", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e.json b/ics-attack/relationship/relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e.json new file mode 100644 index 0000000000..9816eb306c --- /dev/null +++ b/ics-attack/relationship/relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3208b72c-9586-4d82-aef9-b90edd9f6313", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--938ff1d4-acce-4e4e-8a9c-be62799dff8e", + "created": "2023-09-29T17:38:40.536Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:38:40.536Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--93c336f2-7e7c-4c79-af16-faae03e66121.json b/ics-attack/relationship/relationship--93c336f2-7e7c-4c79-af16-faae03e66121.json new file mode 100644 index 0000000000..ba0e464315 --- /dev/null +++ b/ics-attack/relationship/relationship--93c336f2-7e7c-4c79-af16-faae03e66121.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3d9cdfcf-1553-4ac4-9064-0f33f8ccd244", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--93c336f2-7e7c-4c79-af16-faae03e66121", + "created": "2023-09-29T18:44:09.293Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:44:09.293Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce.json b/ics-attack/relationship/relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce.json index 38fc9bf538..b0fc189dac 100644 --- a/ics-attack/relationship/relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce.json +++ b/ics-attack/relationship/relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b3527c34-c791-4e1d-b6be-18728cd25022", + "id": "bundle--46cd2514-89ae-4f6a-9967-3a11164ca435", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--943a9a5c-7826-451d-ac73-34353ea40595.json b/ics-attack/relationship/relationship--943a9a5c-7826-451d-ac73-34353ea40595.json new file mode 100644 index 0000000000..256dbebcb9 --- /dev/null +++ b/ics-attack/relationship/relationship--943a9a5c-7826-451d-ac73-34353ea40595.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--5807d59a-c72c-49e7-8f50-ff6f66fad6e1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--943a9a5c-7826-451d-ac73-34353ea40595", + "created": "2023-09-29T16:33:36.496Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:33:36.496Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--94654460-b115-4056-beb1-e982ed33437b.json b/ics-attack/relationship/relationship--94654460-b115-4056-beb1-e982ed33437b.json index 50663d36f1..fc096f666e 100644 --- a/ics-attack/relationship/relationship--94654460-b115-4056-beb1-e982ed33437b.json +++ b/ics-attack/relationship/relationship--94654460-b115-4056-beb1-e982ed33437b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c4bef438-51cd-4789-a740-a19827a8703f", + "id": "bundle--30e933c1-ebd2-4160-9778-be4b9af5d3f7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--949b498c-ca3f-4704-90bd-a22a4d34067f.json b/ics-attack/relationship/relationship--949b498c-ca3f-4704-90bd-a22a4d34067f.json index 298caaae40..015c0b83fc 100644 --- a/ics-attack/relationship/relationship--949b498c-ca3f-4704-90bd-a22a4d34067f.json +++ b/ics-attack/relationship/relationship--949b498c-ca3f-4704-90bd-a22a4d34067f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aee294de-406a-4faa-abe1-bcd50c0e73e5", + "id": "bundle--867fda65-bca4-4174-ab8d-c730517732c7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e.json b/ics-attack/relationship/relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e.json index 49f3257dca..180891882c 100644 --- a/ics-attack/relationship/relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e.json +++ b/ics-attack/relationship/relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b7cc939d-b2f5-4b79-945c-469966c09f1b", + "id": "bundle--8015391d-25c5-4ed3-a905-27b65e933d20", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca.json b/ics-attack/relationship/relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca.json index 094d612de4..0a84e32f0d 100644 --- a/ics-attack/relationship/relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca.json +++ b/ics-attack/relationship/relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5118844d-ee29-4360-a44b-515375e0b48a", + "id": "bundle--38902a67-0f32-4573-8a0f-25ce0f93ad64", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d.json b/ics-attack/relationship/relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d.json new file mode 100644 index 0000000000..aa98b526db --- /dev/null +++ b/ics-attack/relationship/relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--9f7a8cd0-a40c-40cf-8a6b-f54f7beaac39", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--956bbc7f-82c2-4097-8b7b-1e9d732c532d", + "created": "2023-09-28T20:17:07.288Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:17:07.288Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--95b12e1a-7f21-4fa0-9b2a-c96c7c270625.json b/ics-attack/relationship/relationship--95b12e1a-7f21-4fa0-9b2a-c96c7c270625.json deleted file mode 100644 index 1f7ff5dfef..0000000000 --- a/ics-attack/relationship/relationship--95b12e1a-7f21-4fa0-9b2a-c96c7c270625.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--dbd53a7b-bead-424f-a62c-ec41f9f41b4d", - "spec_version": "2.0", - "objects": [ - { - "type": "relationship", - "id": "relationship--95b12e1a-7f21-4fa0-9b2a-c96c7c270625", - "created": "2021-10-14T21:33:27.046Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos", - "description": "Dragos Electrum Retrieved. 2019/10/27 ", - "url": "https://dragos.com/resource/electrum/" - }, - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2023-04-07T17:01:17.079Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)(Citation: Dragos)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "3.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - } - ] -} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--966b59c0-8641-432c-84f7-b2a712004d74.json b/ics-attack/relationship/relationship--966b59c0-8641-432c-84f7-b2a712004d74.json index 58878f5162..13f0860326 100644 --- a/ics-attack/relationship/relationship--966b59c0-8641-432c-84f7-b2a712004d74.json +++ b/ics-attack/relationship/relationship--966b59c0-8641-432c-84f7-b2a712004d74.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e854da97-c522-4a35-887d-1bae46b48fab", + "id": "bundle--fcb219aa-8abe-4eda-8671-ab06699de8b0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9.json b/ics-attack/relationship/relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9.json index 99bb883bd4..f5480a1765 100644 --- a/ics-attack/relationship/relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9.json +++ b/ics-attack/relationship/relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e85ab70b-ea83-4ac8-aa80-e420cbda54d6", + "id": "bundle--d7107e3e-1786-43ee-81bd-24d68da019c5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8.json b/ics-attack/relationship/relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8.json new file mode 100644 index 0000000000..7ef6a04497 --- /dev/null +++ b/ics-attack/relationship/relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--839d4354-9b73-41e4-bd13-819748bee8f4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--968fd463-fec4-4b2d-b3c9-950d8471b9a8", + "created": "2023-09-28T20:25:30.229Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:25:30.229Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--973f5884-a076-413e-ac96-f0bd01375fb6.json b/ics-attack/relationship/relationship--973f5884-a076-413e-ac96-f0bd01375fb6.json index 906f5084ab..1f01aa7f6e 100644 --- a/ics-attack/relationship/relationship--973f5884-a076-413e-ac96-f0bd01375fb6.json +++ b/ics-attack/relationship/relationship--973f5884-a076-413e-ac96-f0bd01375fb6.json @@ -1,24 +1,26 @@ { "type": "bundle", - "id": "bundle--c336cca0-3dc9-4181-85b5-f6af9800c2dc", + "id": "bundle--169e4622-c96f-4a61-b01f-8bc49ff95098", "spec_version": "2.0", "objects": [ { + "type": "relationship", + "id": "relationship--973f5884-a076-413e-ac96-f0bd01375fb6", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "relationship", - "id": "relationship--973f5884-a076-413e-ac96-f0bd01375fb6", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T11:15:26.506Z", - "modified": "2022-05-06T17:47:24.153Z", + "modified": "2023-09-25T20:47:35.796Z", + "description": "Utilize code signatures to verify the integrity and authenticity of programs installed on safety or control assets, including the associated controller tasking.\n", "relationship_type": "mitigates", - "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--97538255-b049-4d15-91c4-6b227cbea476.json b/ics-attack/relationship/relationship--97538255-b049-4d15-91c4-6b227cbea476.json index 7d3a8f5939..649ab42d73 100644 --- a/ics-attack/relationship/relationship--97538255-b049-4d15-91c4-6b227cbea476.json +++ b/ics-attack/relationship/relationship--97538255-b049-4d15-91c4-6b227cbea476.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--320890d6-ec23-4fa5-bb89-f789e0259f0e", + "id": "bundle--858b7e29-f581-43cf-9ceb-8ad21f33002b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--97641754-f215-4b8f-b0cd-0d3142053c76.json b/ics-attack/relationship/relationship--97641754-f215-4b8f-b0cd-0d3142053c76.json index e800360bac..5d1a458a67 100644 --- a/ics-attack/relationship/relationship--97641754-f215-4b8f-b0cd-0d3142053c76.json +++ b/ics-attack/relationship/relationship--97641754-f215-4b8f-b0cd-0d3142053c76.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1628a7b4-961b-446f-a012-e51dbc682aaf", + "id": "bundle--81de9e00-118a-42c6-9bb8-bc7161d889ed", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--97756c8a-b702-472b-8d67-15464a73093e.json b/ics-attack/relationship/relationship--97756c8a-b702-472b-8d67-15464a73093e.json new file mode 100644 index 0000000000..7d49115901 --- /dev/null +++ b/ics-attack/relationship/relationship--97756c8a-b702-472b-8d67-15464a73093e.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--f9b9f114-fd37-41a5-b12a-c861b1a909c9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--97756c8a-b702-472b-8d67-15464a73093e", + "created": "2023-09-27T14:56:28.962Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + }, + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.265Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [KillDisk](https://attack.mitre.org/software/S0607) rendered devices that were necessary for remote recovery unusable, including at least one RTU. Additionally, [Sandworm Team](https://attack.mitre.org/groups/G0034) overwrote the firmware for serial-to-ethernet converters, denying operators control of the downstream devices. (Citation: Booz Allen Hamilton)(Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204.json b/ics-attack/relationship/relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204.json index 0e9e73e6d9..d5f5dde9f8 100644 --- a/ics-attack/relationship/relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204.json +++ b/ics-attack/relationship/relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4610a53a-d9f8-4384-b6a3-bdeade26b3e8", + "id": "bundle--f6a83bc4-18e3-4702-9337-64d28abc1deb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab.json b/ics-attack/relationship/relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab.json index 5d4a355e54..56206531b6 100644 --- a/ics-attack/relationship/relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab.json +++ b/ics-attack/relationship/relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--00312926-7f90-4d10-b3f1-240f84387f35", + "id": "bundle--a1ed8f09-7bba-4155-aa3d-65477b26db22", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1.json b/ics-attack/relationship/relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1.json new file mode 100644 index 0000000000..443fa83b7d --- /dev/null +++ b/ics-attack/relationship/relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4c9ed06a-205b-469a-a374-82657c30b2f8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--97e20860-29d9-4738-a9a8-6cc3e4db23f1", + "created": "2023-09-29T16:40:54.250Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:40:54.250Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e.json b/ics-attack/relationship/relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e.json new file mode 100644 index 0000000000..beb673bc95 --- /dev/null +++ b/ics-attack/relationship/relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--0f95207c-3939-4705-9d62-6b63726dfe6b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--97f42cef-bc2a-47c5-b408-8e38aab4030e", + "created": "2023-09-29T16:41:32.631Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:41:32.631Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319.json b/ics-attack/relationship/relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319.json new file mode 100644 index 0000000000..7a8d95e2d0 --- /dev/null +++ b/ics-attack/relationship/relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--0a18abec-a345-4835-98a2-fbe49c7b72c6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--97f863d7-e68a-4cc8-ab3b-a7e9a1cc2319", + "created": "2023-09-29T18:47:52.800Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:47:52.800Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2.json b/ics-attack/relationship/relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2.json index 8a1ff503f7..98c3d65b29 100644 --- a/ics-attack/relationship/relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2.json +++ b/ics-attack/relationship/relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5a762b4d-882c-482b-923b-533cdc99c826", + "id": "bundle--65b3c3e5-9dea-4802-bb7d-53adbc4fadd2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--98b229f8-6020-4fbb-b104-54fd478c14d9.json b/ics-attack/relationship/relationship--98b229f8-6020-4fbb-b104-54fd478c14d9.json index 01d9c42213..e00a55f7f4 100644 --- a/ics-attack/relationship/relationship--98b229f8-6020-4fbb-b104-54fd478c14d9.json +++ b/ics-attack/relationship/relationship--98b229f8-6020-4fbb-b104-54fd478c14d9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--938556be-05a8-42e4-80ae-e0a0a9e4d2fe", + "id": "bundle--5f30b481-a2bc-4149-ab8e-bca6e02ea998", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5.json b/ics-attack/relationship/relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5.json index b5f593da2f..5dda56c547 100644 --- a/ics-attack/relationship/relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5.json +++ b/ics-attack/relationship/relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2fedec97-8b3d-4685-acf4-28e9ecc7f4b5", + "id": "bundle--1781f25f-d2de-416e-8e28-1624a65cf87e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json b/ics-attack/relationship/relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json index b235118dc2..684a333d24 100644 --- a/ics-attack/relationship/relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json +++ b/ics-attack/relationship/relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--51b4a881-7ef9-4294-ac72-57fc743b2703", + "id": "bundle--388f5f64-88f3-4276-9eb7-7a187c1c365a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--990f944f-190d-456d-b194-f5ecb17a0868.json b/ics-attack/relationship/relationship--990f944f-190d-456d-b194-f5ecb17a0868.json index bcddfa9597..3616f58868 100644 --- a/ics-attack/relationship/relationship--990f944f-190d-456d-b194-f5ecb17a0868.json +++ b/ics-attack/relationship/relationship--990f944f-190d-456d-b194-f5ecb17a0868.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--51d8ded2-f266-45c6-8429-b77267cb1403", + "id": "bundle--44d2e04b-5cdd-45d7-a79b-9fff15f77ad6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134.json b/ics-attack/relationship/relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134.json new file mode 100644 index 0000000000..a73530ea31 --- /dev/null +++ b/ics-attack/relationship/relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d0789c1c-b2de-4bf8-961c-b5daad6f3cb7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9951eb11-8140-420d-8e2d-56fbe0ff0134", + "created": "2023-09-29T18:03:23.576Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:03:23.576Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--99c0c90e-8526-41d6-80ca-b037598c6326.json b/ics-attack/relationship/relationship--99c0c90e-8526-41d6-80ca-b037598c6326.json index 3a5f10ff19..3a52ac6146 100644 --- a/ics-attack/relationship/relationship--99c0c90e-8526-41d6-80ca-b037598c6326.json +++ b/ics-attack/relationship/relationship--99c0c90e-8526-41d6-80ca-b037598c6326.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5efd7f1b-16fe-406e-83e8-863c89649c33", + "id": "bundle--d6319204-a551-4fd1-8d3a-07f1b255ba21", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--99ec0a8e-4a4f-427c-89db-163e4b206021.json b/ics-attack/relationship/relationship--99ec0a8e-4a4f-427c-89db-163e4b206021.json index 76fc744829..3bef7baf74 100644 --- a/ics-attack/relationship/relationship--99ec0a8e-4a4f-427c-89db-163e4b206021.json +++ b/ics-attack/relationship/relationship--99ec0a8e-4a4f-427c-89db-163e4b206021.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b68a8797-ae40-46ba-91e1-2b828024c089", + "id": "bundle--fb14dfc3-e708-4456-b07b-3fe58b04b24e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f.json b/ics-attack/relationship/relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f.json new file mode 100644 index 0000000000..e61f0bc41b --- /dev/null +++ b/ics-attack/relationship/relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--afc9f458-ac99-441c-a5e0-eecb328e265b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--99f84b91-32a1-4ade-8de5-5d2a0359302f", + "created": "2023-09-28T19:56:54.642Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:56:54.642Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--99fa6d92-0c41-44ed-bd30-dd0413785883.json b/ics-attack/relationship/relationship--99fa6d92-0c41-44ed-bd30-dd0413785883.json new file mode 100644 index 0000000000..79162565ed --- /dev/null +++ b/ics-attack/relationship/relationship--99fa6d92-0c41-44ed-bd30-dd0413785883.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--0a133c22-08e6-41fa-81b9-868c0d355278", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--99fa6d92-0c41-44ed-bd30-dd0413785883", + "created": "2023-09-29T18:43:23.321Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:43:23.321Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf.json b/ics-attack/relationship/relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf.json new file mode 100644 index 0000000000..46dd80144c --- /dev/null +++ b/ics-attack/relationship/relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a15a0777-809c-4da4-b7b7-e783ebb53d7c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9a3e771d-d84f-4f2a-baf9-4478abdbdbcf", + "created": "2023-09-28T20:04:32.626Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:04:32.626Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886.json b/ics-attack/relationship/relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886.json index d21f4b3174..a4f6e443f7 100644 --- a/ics-attack/relationship/relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886.json +++ b/ics-attack/relationship/relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e6137c60-7e95-41cb-a62d-1dcb4abed64f", + "id": "bundle--904fa442-08b9-42bf-8fd0-ce67b50014c5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f.json b/ics-attack/relationship/relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f.json index 73ea4c66c1..0527e51baf 100644 --- a/ics-attack/relationship/relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f.json +++ b/ics-attack/relationship/relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--da783e70-5d84-4482-95dc-920134496eff", + "id": "bundle--e6f556fe-6dc3-4ac1-a2cf-ff1f83a61021", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9ad74496-e164-4068-a0f5-379f507ba864.json b/ics-attack/relationship/relationship--9ad74496-e164-4068-a0f5-379f507ba864.json index f2166831cf..dde430ab68 100644 --- a/ics-attack/relationship/relationship--9ad74496-e164-4068-a0f5-379f507ba864.json +++ b/ics-attack/relationship/relationship--9ad74496-e164-4068-a0f5-379f507ba864.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ac5c9e82-bf98-4e2c-8ec7-5c1029a615ba", + "id": "bundle--d9aaa273-87e8-494b-82ca-566bfb76c859", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8.json b/ics-attack/relationship/relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8.json new file mode 100644 index 0000000000..8ea7811de3 --- /dev/null +++ b/ics-attack/relationship/relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b4ad6212-ad53-4623-aeaa-9400f5808014", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9b0b3c25-d87c-452a-a2f9-241234410eb8", + "created": "2023-09-29T18:58:05.958Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:58:05.958Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db.json b/ics-attack/relationship/relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db.json index 2784e356e7..364afb6605 100644 --- a/ics-attack/relationship/relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db.json +++ b/ics-attack/relationship/relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0c396a07-f7e6-4099-abfc-43cdd13d9897", + "id": "bundle--55aec065-35a3-4aaf-9a77-336da836fa39", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca.json b/ics-attack/relationship/relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca.json index 6d870f7dde..4c7d691004 100644 --- a/ics-attack/relationship/relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca.json +++ b/ics-attack/relationship/relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f6819d4d-cc4d-4856-be75-13a29f43fb46", + "id": "bundle--9d79752d-a686-4067-8ab5-9bd82af9ddf8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875.json b/ics-attack/relationship/relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875.json new file mode 100644 index 0000000000..585ef297fd --- /dev/null +++ b/ics-attack/relationship/relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b8132edd-221a-48da-a3ff-8424d3f62738", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9ba76ea3-9ebb-49d7-803a-5cf2deef6875", + "created": "2023-09-28T19:37:35.485Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:37:35.485Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1.json b/ics-attack/relationship/relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1.json new file mode 100644 index 0000000000..d3e258d06c --- /dev/null +++ b/ics-attack/relationship/relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--96464c4d-e6f6-4b19-8f29-42db3f0153fc", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9c0db354-c2d6-4db0-bb76-35ae66c01dd1", + "created": "2023-09-28T20:11:52.625Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:11:52.625Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5.json b/ics-attack/relationship/relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5.json new file mode 100644 index 0000000000..5ceea80cb5 --- /dev/null +++ b/ics-attack/relationship/relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e85cb488-1fcb-411d-bd8a-efbb04dcab86", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9c23121e-14bb-4382-b54d-2ea02a2815b5", + "created": "2023-09-28T19:59:44.009Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:59:44.009Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json b/ics-attack/relationship/relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json index ff50af421f..c9670923e3 100644 --- a/ics-attack/relationship/relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json +++ b/ics-attack/relationship/relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c79d85b6-a5ea-4662-a82b-e1ba43386f5e", + "id": "bundle--97ac3e37-b65a-49c8-8052-b85c65b483b8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9cf83701-a347-47b4-a67b-280df95b275d.json b/ics-attack/relationship/relationship--9cf83701-a347-47b4-a67b-280df95b275d.json index 98f2275161..0e4c8cad07 100644 --- a/ics-attack/relationship/relationship--9cf83701-a347-47b4-a67b-280df95b275d.json +++ b/ics-attack/relationship/relationship--9cf83701-a347-47b4-a67b-280df95b275d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2244c645-f095-4c10-bc80-e3a6b50e6ad6", + "id": "bundle--45aa2108-bb63-4353-b929-b44fd1cea231", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f.json b/ics-attack/relationship/relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f.json index 528ea30e6d..19784e90c9 100644 --- a/ics-attack/relationship/relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f.json +++ b/ics-attack/relationship/relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3569f656-d84f-45f2-9959-1d391c2c122e", + "id": "bundle--de0596ee-b2d2-4cd5-9827-20ca6b291912", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d.json b/ics-attack/relationship/relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d.json index 84db22497f..89197e9f7c 100644 --- a/ics-attack/relationship/relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d.json +++ b/ics-attack/relationship/relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--adb6fb85-8f65-4a63-986d-5293e7053ee0", + "id": "bundle--076c9e25-3bfb-4277-a6fd-200d7465900b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json b/ics-attack/relationship/relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json index 479e6d3d46..7c452b37e8 100644 --- a/ics-attack/relationship/relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json +++ b/ics-attack/relationship/relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e6da5ef6-5580-4bb2-baba-1b11359dfa85", + "id": "bundle--857789a8-4b49-4206-9fe3-7fc6f880b6d4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9d75333b-2542-4899-923f-55dc1e077a51.json b/ics-attack/relationship/relationship--9d75333b-2542-4899-923f-55dc1e077a51.json index 927d3d0724..aea06d6fd1 100644 --- a/ics-attack/relationship/relationship--9d75333b-2542-4899-923f-55dc1e077a51.json +++ b/ics-attack/relationship/relationship--9d75333b-2542-4899-923f-55dc1e077a51.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--135caa95-ef41-4a17-a210-a3409a1c459a", + "id": "bundle--56d8dd3a-424f-4e66-a8bd-29da61715ed2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3.json b/ics-attack/relationship/relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3.json index 16b236785e..6ae07645d4 100644 --- a/ics-attack/relationship/relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3.json +++ b/ics-attack/relationship/relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6fa60e9e-da70-4310-ba71-87266f12eb2e", + "id": "bundle--db4bade2-d07e-460c-b420-f079d81cc0b3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9db1ecfe-72eb-42da-a09e-746663a53854.json b/ics-attack/relationship/relationship--9db1ecfe-72eb-42da-a09e-746663a53854.json index 51923585ed..9d9e6238b1 100644 --- a/ics-attack/relationship/relationship--9db1ecfe-72eb-42da-a09e-746663a53854.json +++ b/ics-attack/relationship/relationship--9db1ecfe-72eb-42da-a09e-746663a53854.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ff49def2-f396-4ab7-a31f-b59d8da2dc88", + "id": "bundle--2f4a5eb6-731c-4f56-a893-ab239b7605a1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9e0810a5-ad02-487f-b0a8-bf07decca493.json b/ics-attack/relationship/relationship--9e0810a5-ad02-487f-b0a8-bf07decca493.json index e08bb81d4d..188ef94780 100644 --- a/ics-attack/relationship/relationship--9e0810a5-ad02-487f-b0a8-bf07decca493.json +++ b/ics-attack/relationship/relationship--9e0810a5-ad02-487f-b0a8-bf07decca493.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c11929c7-7ff2-4a48-a3cd-5106fede0df6", + "id": "bundle--23b3cfb4-1835-4f65-b609-c9b72b0cd326", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa.json b/ics-attack/relationship/relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa.json index c052d401f9..b09739511e 100644 --- a/ics-attack/relationship/relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa.json +++ b/ics-attack/relationship/relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4657aacc-0d98-45f9-8dcb-0d8b8f962c64", + "id": "bundle--f33daf04-d4bc-4cad-b9bd-9c4c06fa39ec", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500.json b/ics-attack/relationship/relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500.json new file mode 100644 index 0000000000..dd05a4253c --- /dev/null +++ b/ics-attack/relationship/relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--812a87bf-9478-4de5-ac02-c637853209e0", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9e98d88c-4138-4d0e-8db0-cddf956ab500", + "created": "2023-09-29T18:07:28.902Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:07:28.902Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json b/ics-attack/relationship/relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json index 469ad37e27..0717f1e433 100644 --- a/ics-attack/relationship/relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json +++ b/ics-attack/relationship/relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d6ca697e-5501-4412-b5bb-8fdd0bed04dc", + "id": "bundle--ef653d93-120b-476b-9044-b2eebd185028", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5.json b/ics-attack/relationship/relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5.json index 804027c49c..2fa9e5ca7c 100644 --- a/ics-attack/relationship/relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5.json +++ b/ics-attack/relationship/relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c8678e72-3c6c-40cc-bee8-531a1eeb8b10", + "id": "bundle--5bfda8bb-4331-4ee4-a46a-712afa14b273", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9f2926a2-596f-459e-827e-6fe2d4646efd.json b/ics-attack/relationship/relationship--9f2926a2-596f-459e-827e-6fe2d4646efd.json new file mode 100644 index 0000000000..e7162f76d6 --- /dev/null +++ b/ics-attack/relationship/relationship--9f2926a2-596f-459e-827e-6fe2d4646efd.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--cfe10763-52cc-4b4f-9ff5-c91c1b107538", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9f2926a2-596f-459e-827e-6fe2d4646efd", + "created": "2023-09-29T18:06:46.756Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:06:46.756Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9f43126d-5f6c-42a9-9908-49175c27ead7.json b/ics-attack/relationship/relationship--9f43126d-5f6c-42a9-9908-49175c27ead7.json index c4bb8ef0f1..30d2784385 100644 --- a/ics-attack/relationship/relationship--9f43126d-5f6c-42a9-9908-49175c27ead7.json +++ b/ics-attack/relationship/relationship--9f43126d-5f6c-42a9-9908-49175c27ead7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4e9c7b34-cf43-47d0-ae4c-6ae433047e29", + "id": "bundle--a643d1a2-59cb-4863-8159-9277e21fc609", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3.json b/ics-attack/relationship/relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3.json new file mode 100644 index 0000000000..7f3c26492c --- /dev/null +++ b/ics-attack/relationship/relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c4bdf826-b2da-4a78-a8c0-dcd4519c2bf4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9fa6797f-f2cb-4b93-b8eb-f40936e967f3", + "created": "2023-09-28T21:12:14.470Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:12:14.470Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a.json b/ics-attack/relationship/relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a.json index 66083457c8..d5a409e928 100644 --- a/ics-attack/relationship/relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a.json +++ b/ics-attack/relationship/relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--923ecb60-7579-497b-9cee-cfe2927d5b11", + "id": "bundle--19c391d7-4879-4368-b026-1b15b2ff0e2e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9fb8c8ab-67de-42df-a82d-b6e45b82d949.json b/ics-attack/relationship/relationship--9fb8c8ab-67de-42df-a82d-b6e45b82d949.json new file mode 100644 index 0000000000..04ccdf67c7 --- /dev/null +++ b/ics-attack/relationship/relationship--9fb8c8ab-67de-42df-a82d-b6e45b82d949.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--34f8e1f2-6f42-479d-94e8-6c3fcf2ffd21", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9fb8c8ab-67de-42df-a82d-b6e45b82d949", + "created": "2023-09-27T14:48:40.533Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.265Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked reporting messages by using malicious firmware to render serial-to-ethernet converters inoperable. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47.json b/ics-attack/relationship/relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47.json new file mode 100644 index 0000000000..e8cb27cee4 --- /dev/null +++ b/ics-attack/relationship/relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--17d1d779-0a36-42e6-8b7c-3eb8ae062383", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--9ffbf620-8e1f-4542-a271-9a3692db9a47", + "created": "2023-09-28T20:04:19.147Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:04:19.147Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea.json b/ics-attack/relationship/relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea.json index a95224fa20..e47d7e53d1 100644 --- a/ics-attack/relationship/relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea.json +++ b/ics-attack/relationship/relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9eae177b-849c-4279-8ea6-b948dea4c342", + "id": "bundle--d13be91f-c7fd-4c99-9d9b-2170fd0c3479", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a04169ed-c16b-466b-80ef-22a11067f475.json b/ics-attack/relationship/relationship--a04169ed-c16b-466b-80ef-22a11067f475.json index a3050a3e60..df411acd2f 100644 --- a/ics-attack/relationship/relationship--a04169ed-c16b-466b-80ef-22a11067f475.json +++ b/ics-attack/relationship/relationship--a04169ed-c16b-466b-80ef-22a11067f475.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--53b62251-6c3e-47be-b227-caf54b1ccf9e", + "id": "bundle--95e1a745-c73a-4cc8-bff7-0ac1af0ab005", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json b/ics-attack/relationship/relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json index 7265788999..8154345e7a 100644 --- a/ics-attack/relationship/relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json +++ b/ics-attack/relationship/relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--534df891-7fac-4a39-ac8f-31c76b616c08", + "id": "bundle--37e1224f-0bec-4233-a4fa-1cdb6ea06c25", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c.json b/ics-attack/relationship/relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c.json index 8e1f5bd3bf..c228571c45 100644 --- a/ics-attack/relationship/relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c.json +++ b/ics-attack/relationship/relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0fc28867-1888-4027-aed5-e576856101d1", + "id": "bundle--e3a7d13b-2fb6-49c6-8f7d-3ac62ac12acb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a1454196-0d86-49f2-8dcb-61145a16b21e.json b/ics-attack/relationship/relationship--a1454196-0d86-49f2-8dcb-61145a16b21e.json index fdd1dc3b8f..62e1a12063 100644 --- a/ics-attack/relationship/relationship--a1454196-0d86-49f2-8dcb-61145a16b21e.json +++ b/ics-attack/relationship/relationship--a1454196-0d86-49f2-8dcb-61145a16b21e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4a2602e0-3534-4832-9f61-dedd25a618bb", + "id": "bundle--03572bb1-a13e-4ff7-9f8a-d6d01484d1db", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a15d718f-af30-4745-a837-887ba8f48727.json b/ics-attack/relationship/relationship--a15d718f-af30-4745-a837-887ba8f48727.json new file mode 100644 index 0000000000..67a8729726 --- /dev/null +++ b/ics-attack/relationship/relationship--a15d718f-af30-4745-a837-887ba8f48727.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--6d7863c8-d08b-4fb7-b63d-91e261f442c0", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a15d718f-af30-4745-a837-887ba8f48727", + "created": "2023-09-29T16:30:46.705Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:30:46.705Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405.json b/ics-attack/relationship/relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405.json index fb018eb260..580734901c 100644 --- a/ics-attack/relationship/relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405.json +++ b/ics-attack/relationship/relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9a070827-a63f-4803-9ace-477e574127d7", + "id": "bundle--812665f7-7bff-4186-9b7d-25e16f76b696", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476.json b/ics-attack/relationship/relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476.json new file mode 100644 index 0000000000..f42005d6cf --- /dev/null +++ b/ics-attack/relationship/relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d8060283-e49f-4e06-b481-0a747180fe24", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a1d2df14-6f44-44ac-99c2-3e3f55f53476", + "created": "2023-09-29T16:43:16.472Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:43:16.472Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3.json b/ics-attack/relationship/relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3.json new file mode 100644 index 0000000000..7d2b279d33 --- /dev/null +++ b/ics-attack/relationship/relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a7950cba-8e97-47fa-bcca-02f406617060", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a1d99bbc-8d7c-4263-a909-95a9507b43c3", + "created": "2023-09-29T16:28:17.629Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:28:17.629Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a2142552-6b8d-4751-a3d4-1471420c02fc.json b/ics-attack/relationship/relationship--a2142552-6b8d-4751-a3d4-1471420c02fc.json index f758b8c4d4..a42b1988b4 100644 --- a/ics-attack/relationship/relationship--a2142552-6b8d-4751-a3d4-1471420c02fc.json +++ b/ics-attack/relationship/relationship--a2142552-6b8d-4751-a3d4-1471420c02fc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0afce39b-f245-450b-ad91-1b9572640c8b", + "id": "bundle--d16c25d6-86f1-4e51-bc5d-2487920d751e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039.json b/ics-attack/relationship/relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039.json new file mode 100644 index 0000000000..37bc1a83a5 --- /dev/null +++ b/ics-attack/relationship/relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--43736271-5808-4d22-aab5-d2c60dc8cc90", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a221bbb3-5f4f-4879-ae1d-37e8d3022039", + "created": "2023-09-28T21:16:05.517Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:16:05.517Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a22fabd2-836e-4141-9219-c76cc10138ec.json b/ics-attack/relationship/relationship--a22fabd2-836e-4141-9219-c76cc10138ec.json index b3bcc0e06e..f89ef68c12 100644 --- a/ics-attack/relationship/relationship--a22fabd2-836e-4141-9219-c76cc10138ec.json +++ b/ics-attack/relationship/relationship--a22fabd2-836e-4141-9219-c76cc10138ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c2f3f30d-52f9-40b7-9c6c-7a829e7875b0", + "id": "bundle--5101a53c-c8fc-467d-b32c-e775aabbc192", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b.json b/ics-attack/relationship/relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b.json new file mode 100644 index 0000000000..56d95015b3 --- /dev/null +++ b/ics-attack/relationship/relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--7db09711-2ee8-4f80-9e95-ac0995675e2d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a23aefa6-15f5-481c-ac3d-09b8e4b3003b", + "created": "2023-09-29T16:44:03.912Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:44:03.912Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d.json b/ics-attack/relationship/relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d.json new file mode 100644 index 0000000000..5688335de2 --- /dev/null +++ b/ics-attack/relationship/relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--42d6f4fc-2ed2-436a-a713-2f757984a2d2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a287bc05-20cb-4476-ba1f-15bfde6e601d", + "created": "2023-09-29T18:04:05.993Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:04:05.993Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b.json b/ics-attack/relationship/relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b.json index fe520b86d3..66ce2c3a5c 100644 --- a/ics-attack/relationship/relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b.json +++ b/ics-attack/relationship/relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8ca2b291-429a-47d7-9561-0c16170c5c31", + "id": "bundle--ec42a7dc-8987-44aa-af70-e7e89e22665e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9.json b/ics-attack/relationship/relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9.json new file mode 100644 index 0000000000..b096277d88 --- /dev/null +++ b/ics-attack/relationship/relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--291ca38c-a159-443f-9381-c120a7cfa484", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a2f0b9ba-2d6e-43a5-adca-3ec42dba5ce9", + "created": "2023-09-29T16:36:28.818Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:36:28.818Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7.json b/ics-attack/relationship/relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7.json new file mode 100644 index 0000000000..c634edc844 --- /dev/null +++ b/ics-attack/relationship/relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d3cf3a86-6012-4f46-8972-176279977a2f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a3f258ea-6d4d-4b0e-8ff2-b91f49dfd4d7", + "created": "2023-09-29T16:39:54.248Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:39:54.248Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a45cec05-2d81-4db1-9267-db8be498e0d2.json b/ics-attack/relationship/relationship--a45cec05-2d81-4db1-9267-db8be498e0d2.json new file mode 100644 index 0000000000..34902df3e8 --- /dev/null +++ b/ics-attack/relationship/relationship--a45cec05-2d81-4db1-9267-db8be498e0d2.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--38ffd85b-8e6f-4475-909a-132da3318647", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a45cec05-2d81-4db1-9267-db8be498e0d2", + "created": "2023-09-29T16:46:50.699Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:46:50.699Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac.json b/ics-attack/relationship/relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac.json new file mode 100644 index 0000000000..7fcb472519 --- /dev/null +++ b/ics-attack/relationship/relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--75effbce-c549-4a15-8d63-c495c618ab82", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a466d5b4-39f0-48c1-9a19-f006dc4cb0ac", + "created": "2023-09-29T17:40:58.726Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:40:58.726Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63.json b/ics-attack/relationship/relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63.json new file mode 100644 index 0000000000..680826a805 --- /dev/null +++ b/ics-attack/relationship/relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--0089dad1-2080-4ba2-8231-c45417b4706e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a46f722e-4399-4aa6-b0a9-61fae9d0bf63", + "created": "2023-09-29T17:57:44.978Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:57:44.978Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea.json b/ics-attack/relationship/relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea.json index 3ebaaa2378..3fdd979a9a 100644 --- a/ics-attack/relationship/relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea.json +++ b/ics-attack/relationship/relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c2f5456f-68af-4cd0-8630-a0a68a40d2e9", + "id": "bundle--3b1a2186-0ecd-47b0-8ced-af94b2f60dd5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5.json b/ics-attack/relationship/relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5.json new file mode 100644 index 0000000000..6d888a282f --- /dev/null +++ b/ics-attack/relationship/relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3337cc3c-ab08-4f8a-9783-0fba70ef7300", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a4c64fbc-bac4-44b8-ba52-8fcfa3f674e5", + "created": "2023-09-29T17:40:08.922Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:40:08.922Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json b/ics-attack/relationship/relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json index b7bd11b063..9ede7368c1 100644 --- a/ics-attack/relationship/relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json +++ b/ics-attack/relationship/relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--120ced3e-acf1-49d9-9d98-271252f0d440", + "id": "bundle--32e588c0-4732-447c-b68f-be11aa6aa354", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf.json b/ics-attack/relationship/relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf.json new file mode 100644 index 0000000000..ca11d655f9 --- /dev/null +++ b/ics-attack/relationship/relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--efa99448-991e-4171-b3c5-2294998576b4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a57b233b-6613-4f78-aa48-e85518aaa7cf", + "created": "2023-09-27T14:45:26.126Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + }, + { + "source_name": "Charles McLellan March 2016", + "description": "Charles McLellan. (2016, March 4). How hackers attacked Ukraine's power grid: Implications for Industrial IoT security. Retrieved September 27, 2023.", + "url": "https://www.zdnet.com/article/how-hackers-attacked-ukraines-power-grid-implications-for-industrial-iot-security/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-27T15:28:24.006Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) remotely discovered operational assets once on the OT network. (Citation: Charles McLellan March 2016) (Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55.json b/ics-attack/relationship/relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55.json index 5dd9e47fe6..83a593ec9f 100644 --- a/ics-attack/relationship/relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55.json +++ b/ics-attack/relationship/relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--172d00b6-ef64-4ae2-ac81-8b07290fdec6", + "id": "bundle--5d98dd76-6874-4bf5-92f7-082864d5ce03", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a6479493-6154-408f-90df-9d2f3ae352d1.json b/ics-attack/relationship/relationship--a6479493-6154-408f-90df-9d2f3ae352d1.json index c37a869400..e994d9903a 100644 --- a/ics-attack/relationship/relationship--a6479493-6154-408f-90df-9d2f3ae352d1.json +++ b/ics-attack/relationship/relationship--a6479493-6154-408f-90df-9d2f3ae352d1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6daad258-c8e9-4822-a47b-7c5a7b3c71d2", + "id": "bundle--820f9004-3906-4a61-a976-2a7692d29b93", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json b/ics-attack/relationship/relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json index dd40f23528..16ca87dcaf 100644 --- a/ics-attack/relationship/relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json +++ b/ics-attack/relationship/relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c957022b-4478-410d-b9a6-be56b7175cce", + "id": "bundle--49821304-b3e0-415c-9aaf-b3852e213718", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818.json b/ics-attack/relationship/relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818.json index c35976ffee..a1ee1ac468 100644 --- a/ics-attack/relationship/relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818.json +++ b/ics-attack/relationship/relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cd40e34d-2ae8-44f3-88c9-409714e72861", + "id": "bundle--7a00b295-9b64-46cc-a02e-79fa6aaa73e7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7.json b/ics-attack/relationship/relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7.json new file mode 100644 index 0000000000..6dcae5b3f1 --- /dev/null +++ b/ics-attack/relationship/relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c50e0ab1-9593-4563-8843-c4bd960df723", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a6e9bbe1-3e59-45c0-987a-b5354d602dc7", + "created": "2023-09-29T17:05:56.185Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:05:56.185Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927.json b/ics-attack/relationship/relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927.json index e338f0003b..7bbf47c1f0 100644 --- a/ics-attack/relationship/relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927.json +++ b/ics-attack/relationship/relationship--a717ccc7-0fe6-4a83-951f-5a89037ed927.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--406fada4-5eef-4453-8ba1-bce0d5c71941", + "id": "bundle--2b66a35b-f4b8-4dc6-ac3f-c2ea7968b7ac", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a731ad54-0c3c-47bb-9559-d99950782beb.json b/ics-attack/relationship/relationship--a731ad54-0c3c-47bb-9559-d99950782beb.json index 3bb805a27d..7163cf7094 100644 --- a/ics-attack/relationship/relationship--a731ad54-0c3c-47bb-9559-d99950782beb.json +++ b/ics-attack/relationship/relationship--a731ad54-0c3c-47bb-9559-d99950782beb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cb3d80e3-2507-4a50-a84c-d3b828d0e7d3", + "id": "bundle--ddaa1c03-d7f8-4180-ba77-be4a7347512d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297.json b/ics-attack/relationship/relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297.json index 5723ceba81..8ca4d0fd07 100644 --- a/ics-attack/relationship/relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297.json +++ b/ics-attack/relationship/relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--154d5b93-23f9-4566-a266-41236e694576", + "id": "bundle--631a199d-c384-4316-978e-2a10af67a601", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a75ddacf-e87e-4a99-83f2-618486473163.json b/ics-attack/relationship/relationship--a75ddacf-e87e-4a99-83f2-618486473163.json index 3c6d56fb02..f2cea2870b 100644 --- a/ics-attack/relationship/relationship--a75ddacf-e87e-4a99-83f2-618486473163.json +++ b/ics-attack/relationship/relationship--a75ddacf-e87e-4a99-83f2-618486473163.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e2677249-7006-4b63-81cd-ef97b62e9407", + "id": "bundle--ccdc0674-8895-49d3-a9bc-ca7eaa91924e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a78e727c-8e42-448c-beb4-463804e18be0.json b/ics-attack/relationship/relationship--a78e727c-8e42-448c-beb4-463804e18be0.json index 34889d8ea4..74b5188daa 100644 --- a/ics-attack/relationship/relationship--a78e727c-8e42-448c-beb4-463804e18be0.json +++ b/ics-attack/relationship/relationship--a78e727c-8e42-448c-beb4-463804e18be0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bf821a5c-0b35-4d9e-b041-3e0939dc9058", + "id": "bundle--9255cbe1-8b9f-41e6-bc03-8ebe166bcffd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac.json b/ics-attack/relationship/relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac.json new file mode 100644 index 0000000000..30f629697a --- /dev/null +++ b/ics-attack/relationship/relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b7869525-2ad3-40dc-9fa3-ece3b2025bb0", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a7a2790e-d5ba-4a46-bde3-c698c6ae52ac", + "created": "2023-09-28T19:41:16.927Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:41:16.927Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393.json b/ics-attack/relationship/relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393.json index 6b8ae72755..06afcd28c1 100644 --- a/ics-attack/relationship/relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393.json +++ b/ics-attack/relationship/relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--315214ef-8cff-4063-87d5-549a73dfeb30", + "id": "bundle--28ba1d34-d192-4aec-ab87-5e0b01753fd1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6.json b/ics-attack/relationship/relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6.json index 46c05b179f..ed94fb3e2a 100644 --- a/ics-attack/relationship/relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6.json +++ b/ics-attack/relationship/relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f95514a0-31a4-4ec2-b2ea-b3e12616e9ba", + "id": "bundle--936b19d8-2842-49ab-bee7-8c45a9623928", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json b/ics-attack/relationship/relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json index 867229bde0..4917154a26 100644 --- a/ics-attack/relationship/relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json +++ b/ics-attack/relationship/relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json @@ -1,24 +1,26 @@ { "type": "bundle", - "id": "bundle--5d9cafd2-e865-4a3e-a3e4-6ad7ef81b04c", + "id": "bundle--83512bf5-eafc-4215-931f-4b21323e97a3", "spec_version": "2.0", "objects": [ { + "type": "relationship", + "id": "relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "relationship", - "id": "relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.175Z", + "modified": "2023-09-25T20:42:02.105Z", + "description": "All field controllers should restrict the download of programs, including online edits and program appends, to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", "relationship_type": "mitigates", - "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a.json b/ics-attack/relationship/relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a.json index e4d0c3306b..da60f944de 100644 --- a/ics-attack/relationship/relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a.json +++ b/ics-attack/relationship/relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3572c7d1-9072-4419-a9e8-2dc3a7461f18", + "id": "bundle--df0fe4d0-7b03-4a31-a0db-b905dc4f51e6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json b/ics-attack/relationship/relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json index 070c21521b..fe453fd348 100644 --- a/ics-attack/relationship/relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json +++ b/ics-attack/relationship/relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--63107a2c-b6e2-4407-bd5c-4c8b495e35ad", + "id": "bundle--319facbf-9987-471f-bf4a-dd6bbb2200f0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61.json b/ics-attack/relationship/relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61.json index 49206c6edc..17eb8cc59b 100644 --- a/ics-attack/relationship/relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61.json +++ b/ics-attack/relationship/relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--69eee4e6-478a-4ef1-a02d-7668ceb2a600", + "id": "bundle--d2fa9b55-0c5c-49ab-aaec-39fd4d15ddf1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json b/ics-attack/relationship/relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json index 662234476f..e783fbe071 100644 --- a/ics-attack/relationship/relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json +++ b/ics-attack/relationship/relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bd25646a-43c1-4846-b085-ba77a1c9caef", + "id": "bundle--598a7bbe-2a88-4ca1-a810-f90f476b2127", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json b/ics-attack/relationship/relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json index cc971bbb0b..1c37ec3ca2 100644 --- a/ics-attack/relationship/relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json +++ b/ics-attack/relationship/relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eb08637c-2bb0-4c04-9910-85e24785bbd0", + "id": "bundle--62419e66-1444-414a-85b0-c9c2b7beb2bc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1.json b/ics-attack/relationship/relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1.json new file mode 100644 index 0000000000..2c024ec6dd --- /dev/null +++ b/ics-attack/relationship/relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ec346250-5593-421a-9c2f-06f48bdc9a8a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a84dd2f5-d4f4-44c1-ba51-4804f40576e1", + "created": "2023-09-28T20:28:27.970Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:28:27.970Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a86cee0a-dc49-4c95-b5dc-37405337490b.json b/ics-attack/relationship/relationship--a86cee0a-dc49-4c95-b5dc-37405337490b.json index b01f8c59bd..e91c0ad382 100644 --- a/ics-attack/relationship/relationship--a86cee0a-dc49-4c95-b5dc-37405337490b.json +++ b/ics-attack/relationship/relationship--a86cee0a-dc49-4c95-b5dc-37405337490b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d113e9e6-dfa6-46f2-a737-b4ddac59e460", + "id": "bundle--49408085-de79-40de-bbba-ffd87182681b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a91002fe-21b2-4417-9c23-af712a7a035c.json b/ics-attack/relationship/relationship--a91002fe-21b2-4417-9c23-af712a7a035c.json index 9146cada64..a307eb553d 100644 --- a/ics-attack/relationship/relationship--a91002fe-21b2-4417-9c23-af712a7a035c.json +++ b/ics-attack/relationship/relationship--a91002fe-21b2-4417-9c23-af712a7a035c.json @@ -1,24 +1,26 @@ { "type": "bundle", - "id": "bundle--d9367112-7c4a-4b9a-80a0-b48bc3f84a15", + "id": "bundle--23ce7112-c42b-47b8-bbd3-3a752b69f018", "spec_version": "2.0", "objects": [ { + "type": "relationship", + "id": "relationship--a91002fe-21b2-4417-9c23-af712a7a035c", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "relationship", - "id": "relationship--a91002fe-21b2-4417-9c23-af712a7a035c", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T11:15:26.506Z", - "modified": "2022-05-06T17:47:24.156Z", + "modified": "2023-09-25T20:46:24.589Z", + "description": "Utilize code signatures to verify the integrity and authenticity of programs installed on safety or control assets.\n", "relationship_type": "mitigates", - "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a91295dc-b381-4dc9-9384-9f9949066778.json b/ics-attack/relationship/relationship--a91295dc-b381-4dc9-9384-9f9949066778.json new file mode 100644 index 0000000000..3b9e9aeecc --- /dev/null +++ b/ics-attack/relationship/relationship--a91295dc-b381-4dc9-9384-9f9949066778.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--382e6fa8-62fd-4849-8ba7-a92fda77f106", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a91295dc-b381-4dc9-9384-9f9949066778", + "created": "2023-09-29T18:42:18.446Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:42:18.446Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a93ba793-24dd-47dd-b32c-4c3016124c90.json b/ics-attack/relationship/relationship--a93ba793-24dd-47dd-b32c-4c3016124c90.json new file mode 100644 index 0000000000..d2fcaa174b --- /dev/null +++ b/ics-attack/relationship/relationship--a93ba793-24dd-47dd-b32c-4c3016124c90.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--adaf0d55-6896-4b2d-b24c-d093d665d869", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--a93ba793-24dd-47dd-b32c-4c3016124c90", + "created": "2023-09-29T18:43:02.969Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:43:02.969Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9.json b/ics-attack/relationship/relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9.json index a68932af75..c71a84f295 100644 --- a/ics-attack/relationship/relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9.json +++ b/ics-attack/relationship/relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--39621a0f-591b-4f99-9e67-fc1d4169787a", + "id": "bundle--b5f70bd1-fd5d-4b62-a42b-4fcb776fad95", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--aa205915-7571-47ee-8bc6-5aa1ace86690.json b/ics-attack/relationship/relationship--aa205915-7571-47ee-8bc6-5aa1ace86690.json index 73b8766703..72024eac42 100644 --- a/ics-attack/relationship/relationship--aa205915-7571-47ee-8bc6-5aa1ace86690.json +++ b/ics-attack/relationship/relationship--aa205915-7571-47ee-8bc6-5aa1ace86690.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6a583a1c-f214-4603-8da6-4b797b1f6e98", + "id": "bundle--a51ac266-a210-47fd-9dfb-29086fc962c2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91.json b/ics-attack/relationship/relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91.json index 18cf2ba2f1..eba6d0652d 100644 --- a/ics-attack/relationship/relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91.json +++ b/ics-attack/relationship/relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--36960d5c-df1f-4328-8d49-8bcff32b9e38", + "id": "bundle--1806eaae-a463-4d82-be59-10c22d413de6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba.json b/ics-attack/relationship/relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba.json new file mode 100644 index 0000000000..9abb5e8e25 --- /dev/null +++ b/ics-attack/relationship/relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--979c8d83-0bad-4e42-ac10-2b6dfdea8fbf", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--aa7a0f45-e027-4d79-8413-5d807f44c1ba", + "created": "2023-09-29T17:42:56.284Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:42:56.284Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--aaacfa83-033f-4555-ba6b-ecc7692a25aa.json b/ics-attack/relationship/relationship--aaacfa83-033f-4555-ba6b-ecc7692a25aa.json index 36da86eb2c..d6a8001e82 100644 --- a/ics-attack/relationship/relationship--aaacfa83-033f-4555-ba6b-ecc7692a25aa.json +++ b/ics-attack/relationship/relationship--aaacfa83-033f-4555-ba6b-ecc7692a25aa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d982dc3b-6a4e-467f-a322-5f25d548c9d6", + "id": "bundle--c3f9ec10-8293-447b-9f81-61e9bbe76a2a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca.json b/ics-attack/relationship/relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca.json index 93cf7f189b..648bc3362b 100644 --- a/ics-attack/relationship/relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca.json +++ b/ics-attack/relationship/relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0ab2eefc-e749-47af-be60-f83c873df9c2", + "id": "bundle--b19aee08-a2e8-41d4-9f3b-a1277e0b2d12", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ab0b5170-577b-491e-8508-b9a34dc393c1.json b/ics-attack/relationship/relationship--ab0b5170-577b-491e-8508-b9a34dc393c1.json index 19179e70a7..249c822f4d 100644 --- a/ics-attack/relationship/relationship--ab0b5170-577b-491e-8508-b9a34dc393c1.json +++ b/ics-attack/relationship/relationship--ab0b5170-577b-491e-8508-b9a34dc393c1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--77b70bf3-fe27-48de-b9ab-47c28ccc2fd4", + "id": "bundle--77f35e7e-e517-491f-bfa7-38e95b72d42d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ab306654-2abb-4983-8d30-df4058adb06c.json b/ics-attack/relationship/relationship--ab306654-2abb-4983-8d30-df4058adb06c.json index 36204775bc..85b12cceed 100644 --- a/ics-attack/relationship/relationship--ab306654-2abb-4983-8d30-df4058adb06c.json +++ b/ics-attack/relationship/relationship--ab306654-2abb-4983-8d30-df4058adb06c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b498d304-3264-40f0-89d9-b5a7bec8850b", + "id": "bundle--ca7fadd5-abaa-4bf4-b263-adb718ab6991", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b.json b/ics-attack/relationship/relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b.json new file mode 100644 index 0000000000..95aaeeaf2e --- /dev/null +++ b/ics-attack/relationship/relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8428b347-d5e7-40cf-8641-4db6f6957c0a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ab5c9a38-3140-43b6-bcf4-6197a116cd0b", + "created": "2023-09-29T17:37:50.048Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:37:50.048Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json b/ics-attack/relationship/relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json index cccf7a1a1a..a30c5aa8bb 100644 --- a/ics-attack/relationship/relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json +++ b/ics-attack/relationship/relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f934b423-e420-43cc-994a-f931cec3174f", + "id": "bundle--19beecde-33b9-4402-be73-ebef79521875", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e.json b/ics-attack/relationship/relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e.json new file mode 100644 index 0000000000..363be246f8 --- /dev/null +++ b/ics-attack/relationship/relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--736e9e93-1bdb-47ec-9c71-44b67247ed1d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ab844cd2-0f56-44f9-9838-cd5f04d75f3e", + "created": "2023-09-29T17:37:16.719Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:37:16.719Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed.json b/ics-attack/relationship/relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed.json new file mode 100644 index 0000000000..c5597dc81d --- /dev/null +++ b/ics-attack/relationship/relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--19889cb9-0f98-4ab0-a3d1-0753035956e5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ab8bf0a3-0eef-4364-a3f9-f6ab6222afed", + "created": "2023-09-28T19:41:30.623Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:41:30.623Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ab8e129c-5411-4784-9194-068fa915da23.json b/ics-attack/relationship/relationship--ab8e129c-5411-4784-9194-068fa915da23.json index e21e26b4d3..6703ad926e 100644 --- a/ics-attack/relationship/relationship--ab8e129c-5411-4784-9194-068fa915da23.json +++ b/ics-attack/relationship/relationship--ab8e129c-5411-4784-9194-068fa915da23.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f8c2c54c-5a51-49e0-a1bc-a14057f41c14", + "id": "bundle--8be48989-ff1c-4a71-905c-2e9d8ad73ab4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291.json b/ics-attack/relationship/relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291.json new file mode 100644 index 0000000000..2f11cdcc89 --- /dev/null +++ b/ics-attack/relationship/relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--71d9900d-11c8-4107-a98a-9205644d43a9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ac63d227-ff8a-43b8-81ef-ec4c046c4291", + "created": "2023-10-02T20:20:19.426Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:20:19.426Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ac933d76-8207-4bf7-add2-92b60cf3044b.json b/ics-attack/relationship/relationship--ac933d76-8207-4bf7-add2-92b60cf3044b.json new file mode 100644 index 0000000000..001664398c --- /dev/null +++ b/ics-attack/relationship/relationship--ac933d76-8207-4bf7-add2-92b60cf3044b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--21f44ee0-8ff6-498d-8a55-5789ebe4098a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ac933d76-8207-4bf7-add2-92b60cf3044b", + "created": "2023-09-28T20:04:54.213Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:04:54.213Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--acace658-da7e-4a19-aa98-8aec8c966dde.json b/ics-attack/relationship/relationship--acace658-da7e-4a19-aa98-8aec8c966dde.json new file mode 100644 index 0000000000..4c907a1314 --- /dev/null +++ b/ics-attack/relationship/relationship--acace658-da7e-4a19-aa98-8aec8c966dde.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--0677deb4-99ac-4dbc-ae45-69b4a550b06a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--acace658-da7e-4a19-aa98-8aec8c966dde", + "created": "2023-09-27T14:53:03.323Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.266Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) issued unauthorized commands to substation breaks after gaining control of operator workstations and accessing a distribution management system (DMS) application. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ad7770c3-fe24-4285-9ce2-1616a1061472.json b/ics-attack/relationship/relationship--ad7770c3-fe24-4285-9ce2-1616a1061472.json index 10f355d79a..1145ba2daf 100644 --- a/ics-attack/relationship/relationship--ad7770c3-fe24-4285-9ce2-1616a1061472.json +++ b/ics-attack/relationship/relationship--ad7770c3-fe24-4285-9ce2-1616a1061472.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ced5a68e-5b2b-46fc-804c-9cb22d95be5b", + "id": "bundle--fb0e9bd2-0fd5-42cc-994d-0d1b9df4587d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c.json b/ics-attack/relationship/relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c.json index cfe5d1f442..bae21bed16 100644 --- a/ics-attack/relationship/relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c.json +++ b/ics-attack/relationship/relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--996cf01d-f241-4c8f-b733-dab4b7e28a91", + "id": "bundle--dc9e7f82-a588-4bc6-8edc-ae87bc71e1ef", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json b/ics-attack/relationship/relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json index 5ffcff97bd..0e239e5b62 100644 --- a/ics-attack/relationship/relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json +++ b/ics-attack/relationship/relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6dda5d10-d13c-4d2f-9f02-db9a613d7374", + "id": "bundle--25ba20b6-53ae-4d79-a39d-ea0360265f61", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b.json b/ics-attack/relationship/relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b.json new file mode 100644 index 0000000000..0195bcc555 --- /dev/null +++ b/ics-attack/relationship/relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ac008470-095f-44d9-b23d-6380bd8204c9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--adb41ca8-7d2a-4025-b673-db44c9e1f16b", + "created": "2023-09-28T21:12:39.257Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:12:39.257Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ade12d27-13bb-4ebf-be08-7039cf699682.json b/ics-attack/relationship/relationship--ade12d27-13bb-4ebf-be08-7039cf699682.json index 57caab46a8..dbca61b213 100644 --- a/ics-attack/relationship/relationship--ade12d27-13bb-4ebf-be08-7039cf699682.json +++ b/ics-attack/relationship/relationship--ade12d27-13bb-4ebf-be08-7039cf699682.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3b5f6e10-095b-46ad-9ce2-8db6b15fcc8d", + "id": "bundle--0667222d-670a-4f7c-8c3d-226dffae1de4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--adf2072c-0341-4fc2-9d25-495b4af864e9.json b/ics-attack/relationship/relationship--adf2072c-0341-4fc2-9d25-495b4af864e9.json index 8d2121c0de..ae2c30ed76 100644 --- a/ics-attack/relationship/relationship--adf2072c-0341-4fc2-9d25-495b4af864e9.json +++ b/ics-attack/relationship/relationship--adf2072c-0341-4fc2-9d25-495b4af864e9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--188734f6-52db-4144-9f29-35f86f151168", + "id": "bundle--2ede9f2d-96af-4e16-a6a5-fdafa81ff706", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ae10e97a-90ac-498b-8601-01081dc4af8b.json b/ics-attack/relationship/relationship--ae10e97a-90ac-498b-8601-01081dc4af8b.json index a59a6cdb2c..4d70f8ddb4 100644 --- a/ics-attack/relationship/relationship--ae10e97a-90ac-498b-8601-01081dc4af8b.json +++ b/ics-attack/relationship/relationship--ae10e97a-90ac-498b-8601-01081dc4af8b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cc87215a-766b-4030-95ed-75e457634122", + "id": "bundle--f5ab649d-f11e-4e4b-87c8-334b08e85439", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc.json b/ics-attack/relationship/relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc.json new file mode 100644 index 0000000000..495cf8f1d6 --- /dev/null +++ b/ics-attack/relationship/relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--fbaddb6b-6aa3-41bb-8035-e54ed89891e5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ae4e86c6-4bbb-4aba-80fc-c20a8f3d63dc", + "created": "2023-09-28T19:50:14.201Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:50:14.201Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f.json b/ics-attack/relationship/relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f.json index 23ee6fb76d..ef3047aadd 100644 --- a/ics-attack/relationship/relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f.json +++ b/ics-attack/relationship/relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fa4098c3-d4f7-47b3-bbd1-3ffbbe7311a8", + "id": "bundle--92a65640-aee8-44a5-ae99-77cad0ac1fbe", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c.json b/ics-attack/relationship/relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c.json index b6307c0c00..e8af220c6d 100644 --- a/ics-attack/relationship/relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c.json +++ b/ics-attack/relationship/relationship--ae7ed6d8-65cc-45a0-82c3-c28e5630bf7c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b4327414-fbc9-4347-98f0-d160e2583e06", + "id": "bundle--94540949-370b-4245-b6ee-871009c79825", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--af20f409-05ed-42c3-ae3e-09b047b84875.json b/ics-attack/relationship/relationship--af20f409-05ed-42c3-ae3e-09b047b84875.json new file mode 100644 index 0000000000..31bc53912e --- /dev/null +++ b/ics-attack/relationship/relationship--af20f409-05ed-42c3-ae3e-09b047b84875.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--2a3bc6b8-6051-49ed-8eb1-15ec5b6f4f68", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--af20f409-05ed-42c3-ae3e-09b047b84875", + "created": "2023-09-25T20:49:25.308Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:49:25.308Z", + "description": "All field controllers should require that user authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies,\u00a0Password Policies, and\u00a0User Account Management.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a.json b/ics-attack/relationship/relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a.json index 61c489a249..df2b65ad7a 100644 --- a/ics-attack/relationship/relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a.json +++ b/ics-attack/relationship/relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f02da840-7dba-4b3e-ac0c-f89bd64c35bf", + "id": "bundle--e18cebba-6b6f-469f-9c35-29c434b32780", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379.json b/ics-attack/relationship/relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379.json new file mode 100644 index 0000000000..4b6b57dd9c --- /dev/null +++ b/ics-attack/relationship/relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--84619e11-3141-48f4-94fb-bb8c19e910f6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--af25cacc-6b1a-47d2-8e13-cb2a7e92b379", + "created": "2023-09-28T21:17:32.313Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:17:32.313Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d.json b/ics-attack/relationship/relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d.json new file mode 100644 index 0000000000..60acf70d58 --- /dev/null +++ b/ics-attack/relationship/relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--65244f02-094d-4ea2-92bb-959d3f05bc06", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--af802091-fee7-4d15-a845-fb4ee3c26d6d", + "created": "2023-09-29T16:44:42.393Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:44:42.393Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108.json b/ics-attack/relationship/relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108.json index 1c3718412e..36d15a0f40 100644 --- a/ics-attack/relationship/relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108.json +++ b/ics-attack/relationship/relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--47568e29-2114-4eb7-9462-3f183d07f26d", + "id": "bundle--f01a0fae-1122-40f7-9087-9e5e90732a48", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88.json b/ics-attack/relationship/relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88.json index 2d5acbdb59..38083a98cd 100644 --- a/ics-attack/relationship/relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88.json +++ b/ics-attack/relationship/relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4a08899a-8821-4f2d-8806-9f2f55a83f48", + "id": "bundle--d3d690e5-00d3-472f-9eb4-a8dc2dcb807d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1.json b/ics-attack/relationship/relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1.json new file mode 100644 index 0000000000..234dd68521 --- /dev/null +++ b/ics-attack/relationship/relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4926439e-62b5-43f6-82ed-78d0247fb247", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--afe18ec4-b5b8-43f7-b9e9-64a579b4b4e1", + "created": "2023-09-29T17:37:41.336Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:37:41.336Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1.json b/ics-attack/relationship/relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1.json new file mode 100644 index 0000000000..eb348afcfa --- /dev/null +++ b/ics-attack/relationship/relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8f0d074d-7685-4371-9bdd-a91cbad13405", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--aff2fb40-9ef5-42c9-bc7a-4939b509fbf1", + "created": "2023-09-29T16:40:30.440Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:40:30.440Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7.json b/ics-attack/relationship/relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7.json index 89d227ecd8..76a8c02f8e 100644 --- a/ics-attack/relationship/relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7.json +++ b/ics-attack/relationship/relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--587eccd6-c127-4a50-b9ea-11dd822ee3ff", + "id": "bundle--21f6ccc5-1f85-4e3d-ac56-1482e40cf94e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b07e6896-a840-49a1-8d58-94396a902b95.json b/ics-attack/relationship/relationship--b07e6896-a840-49a1-8d58-94396a902b95.json index cc110ba171..e5e3ea9cb6 100644 --- a/ics-attack/relationship/relationship--b07e6896-a840-49a1-8d58-94396a902b95.json +++ b/ics-attack/relationship/relationship--b07e6896-a840-49a1-8d58-94396a902b95.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4d857aff-a209-4924-9812-0fc64f3712af", + "id": "bundle--0de76780-7bb2-44fe-95e7-3ee097f159a3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1.json b/ics-attack/relationship/relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1.json new file mode 100644 index 0000000000..6f1375b3de --- /dev/null +++ b/ics-attack/relationship/relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--17e417ad-0ec0-4e42-baf1-eb49535cf562", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b0945f9b-5608-472e-ad70-7b42c3e062a1", + "created": "2023-09-28T21:21:18.081Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:21:18.081Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391.json b/ics-attack/relationship/relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391.json index d8a2b0c071..15fe3d8773 100644 --- a/ics-attack/relationship/relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391.json +++ b/ics-attack/relationship/relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--df097bb7-59ca-4b0b-8616-851eeb819745", + "id": "bundle--107ff3c1-ff5c-4495-be0c-b71e2f6dd786", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08.json b/ics-attack/relationship/relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08.json index 8527064953..f6a0c1e689 100644 --- a/ics-attack/relationship/relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08.json +++ b/ics-attack/relationship/relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2e629c2e-cf9c-477f-9a76-d733245633fa", + "id": "bundle--7727893d-e856-493a-a07f-a58feb6bfe8e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a.json b/ics-attack/relationship/relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a.json index e796124e5d..206ec6450e 100644 --- a/ics-attack/relationship/relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a.json +++ b/ics-attack/relationship/relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a4436c5a-7aed-4972-81a1-72f70913d567", + "id": "bundle--b9e23542-1528-4cc9-8dc9-e74c74fe3b5d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b13417ea-d8da-497f-818f-d2d90562039a.json b/ics-attack/relationship/relationship--b13417ea-d8da-497f-818f-d2d90562039a.json index 0411e112ae..2b09991a5f 100644 --- a/ics-attack/relationship/relationship--b13417ea-d8da-497f-818f-d2d90562039a.json +++ b/ics-attack/relationship/relationship--b13417ea-d8da-497f-818f-d2d90562039a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a37b4313-5e76-4a47-96f9-221d6e9ceddc", + "id": "bundle--3c5d34c2-f922-4988-94c6-de75b465104a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b1768154-221c-48be-ab2b-549ec1eddafb.json b/ics-attack/relationship/relationship--b1768154-221c-48be-ab2b-549ec1eddafb.json index b24ac78d7f..b19e499cb5 100644 --- a/ics-attack/relationship/relationship--b1768154-221c-48be-ab2b-549ec1eddafb.json +++ b/ics-attack/relationship/relationship--b1768154-221c-48be-ab2b-549ec1eddafb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--256e6472-4510-44db-817d-aa0fa4031c93", + "id": "bundle--75d615da-24a5-4f9c-9e2c-61b39b1bc815", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec.json b/ics-attack/relationship/relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec.json index 3ffd48624b..34dd2c63d7 100644 --- a/ics-attack/relationship/relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec.json +++ b/ics-attack/relationship/relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f7ee87a5-daad-4f27-8935-e59d835d6dc3", + "id": "bundle--4f9102a3-ba84-4464-87e1-d0ceb558f0a0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b1921480-8499-46a9-8396-2a2d747c5861.json b/ics-attack/relationship/relationship--b1921480-8499-46a9-8396-2a2d747c5861.json new file mode 100644 index 0000000000..d8e0eae775 --- /dev/null +++ b/ics-attack/relationship/relationship--b1921480-8499-46a9-8396-2a2d747c5861.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4cc61b46-c948-447e-bb8c-4ebb1d20f31c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b1921480-8499-46a9-8396-2a2d747c5861", + "created": "2023-09-28T19:58:00.892Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:58:00.892Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json b/ics-attack/relationship/relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json index 8b451f4d15..cf455b55d7 100644 --- a/ics-attack/relationship/relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json +++ b/ics-attack/relationship/relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3308d713-fb53-41ad-9c15-fe1fec21b26b", + "id": "bundle--dcc91b8d-d75f-4960-8820-45054269b189", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b21e0340-976d-44b2-94ae-f777199993c6.json b/ics-attack/relationship/relationship--b21e0340-976d-44b2-94ae-f777199993c6.json new file mode 100644 index 0000000000..9a15fedef0 --- /dev/null +++ b/ics-attack/relationship/relationship--b21e0340-976d-44b2-94ae-f777199993c6.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--fbcb7816-6e53-4aba-ad70-081665778b50", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b21e0340-976d-44b2-94ae-f777199993c6", + "created": "2023-09-28T19:39:00.326Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:39:00.326Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d.json b/ics-attack/relationship/relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d.json index fd30c294b2..f70029c911 100644 --- a/ics-attack/relationship/relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d.json +++ b/ics-attack/relationship/relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c6b30012-8859-4c2c-9f48-87df03e362e8", + "id": "bundle--ae6a1cfe-c472-4890-8b27-e8e83f4ade58", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a.json b/ics-attack/relationship/relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a.json new file mode 100644 index 0000000000..446f17c0c2 --- /dev/null +++ b/ics-attack/relationship/relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--995c236c-ab84-4900-9fe3-5f528a196977", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b289c971-3fb7-4c3c-b3d6-cf2702b9384a", + "created": "2023-09-28T21:10:50.480Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:10:50.480Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b2d4989c-e2d1-40c4-b1d8-07834a71f26f.json b/ics-attack/relationship/relationship--b2d4989c-e2d1-40c4-b1d8-07834a71f26f.json deleted file mode 100644 index 48c0892647..0000000000 --- a/ics-attack/relationship/relationship--b2d4989c-e2d1-40c4-b1d8-07834a71f26f.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--0f1618af-bbcd-4d8f-98f6-19427921725b", - "spec_version": "2.0", - "objects": [ - { - "type": "relationship", - "id": "relationship--b2d4989c-e2d1-40c4-b1d8-07834a71f26f", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T20:08:31.892Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) developed and used malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - } - ] -} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc.json b/ics-attack/relationship/relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc.json index 1c35800c0d..5ffaf9da7d 100644 --- a/ics-attack/relationship/relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc.json +++ b/ics-attack/relationship/relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7ea6c50d-eca3-45c4-bb91-f043fbaaedb1", + "id": "bundle--ce77b48f-7fe2-4080-aa47-735b54b47681", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json b/ics-attack/relationship/relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json index 7379168b8b..fd80e80965 100644 --- a/ics-attack/relationship/relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json +++ b/ics-attack/relationship/relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6990c9ba-926f-4bce-a0e5-04250505dd52", + "id": "bundle--794166a9-78e6-4c49-86a1-84718b42b19d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f.json b/ics-attack/relationship/relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f.json new file mode 100644 index 0000000000..99589c8882 --- /dev/null +++ b/ics-attack/relationship/relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d9c853e6-e45c-485d-9590-106fc291610b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b2e8914a-91bc-42df-8b64-22e5365ede6f", + "created": "2023-09-29T17:42:11.005Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:42:11.005Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b33f2abc-a218-425b-9a90-b75445b7e142.json b/ics-attack/relationship/relationship--b33f2abc-a218-425b-9a90-b75445b7e142.json new file mode 100644 index 0000000000..c60441b578 --- /dev/null +++ b/ics-attack/relationship/relationship--b33f2abc-a218-425b-9a90-b75445b7e142.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--344f80ff-437e-46d7-bf35-09ad80557ab5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b33f2abc-a218-425b-9a90-b75445b7e142", + "created": "2023-09-29T18:05:51.795Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:05:51.795Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b343e131-e448-46c6-815b-b86e4bd6d638.json b/ics-attack/relationship/relationship--b343e131-e448-46c6-815b-b86e4bd6d638.json index a21da3d448..c270c22905 100644 --- a/ics-attack/relationship/relationship--b343e131-e448-46c6-815b-b86e4bd6d638.json +++ b/ics-attack/relationship/relationship--b343e131-e448-46c6-815b-b86e4bd6d638.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--133f255b-f832-4871-b214-847d96d540ed", + "id": "bundle--bbd3c7bc-ab60-46fd-b29c-bffb1d8a1a4c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b346eec8-de90-407c-b665-387086bb4553.json b/ics-attack/relationship/relationship--b346eec8-de90-407c-b665-387086bb4553.json index ebb23bc3fe..7a485722bd 100644 --- a/ics-attack/relationship/relationship--b346eec8-de90-407c-b665-387086bb4553.json +++ b/ics-attack/relationship/relationship--b346eec8-de90-407c-b665-387086bb4553.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--475f7df8-1572-4011-8804-40bb0f196592", + "id": "bundle--2711bb7a-e362-434d-9f30-0e779e7204eb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa.json b/ics-attack/relationship/relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa.json index eb67de6cd3..19bc1e94a7 100644 --- a/ics-attack/relationship/relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa.json +++ b/ics-attack/relationship/relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b60d2854-174d-4001-a0f8-ce7dafd8b12c", + "id": "bundle--a13e165d-9b72-4e0e-8a12-8d7702bedf0d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b352884f-2a60-41c6-b348-0bbb5859802a.json b/ics-attack/relationship/relationship--b352884f-2a60-41c6-b348-0bbb5859802a.json new file mode 100644 index 0000000000..0ceba003b3 --- /dev/null +++ b/ics-attack/relationship/relationship--b352884f-2a60-41c6-b348-0bbb5859802a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b73458d2-e437-4916-b9e2-20be8d150893", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b352884f-2a60-41c6-b348-0bbb5859802a", + "created": "2023-09-28T20:01:52.459Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:01:52.459Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60.json b/ics-attack/relationship/relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60.json index 5fb9da2ce4..bf9fbb9be4 100644 --- a/ics-attack/relationship/relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60.json +++ b/ics-attack/relationship/relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--88bcc93f-a8c0-427f-a899-e9d241560c9c", + "id": "bundle--b6009d76-7990-4ac4-86b6-8408bb7e0dce", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b37844c1-0338-44f6-9116-48fa0f079913.json b/ics-attack/relationship/relationship--b37844c1-0338-44f6-9116-48fa0f079913.json new file mode 100644 index 0000000000..cc2aaea55a --- /dev/null +++ b/ics-attack/relationship/relationship--b37844c1-0338-44f6-9116-48fa0f079913.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--bd7cc056-515a-497b-8d19-08d2910e7d0a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b37844c1-0338-44f6-9116-48fa0f079913", + "created": "2023-09-29T17:41:11.611Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:41:11.611Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json b/ics-attack/relationship/relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json index fc444a9139..0071c1dd31 100644 --- a/ics-attack/relationship/relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json +++ b/ics-attack/relationship/relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9af58d2f-cbc5-481f-87f3-7e021e6bb133", + "id": "bundle--bb301b60-aaf2-440e-a17e-5be1de1f2e3e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2.json b/ics-attack/relationship/relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2.json new file mode 100644 index 0000000000..8179b3b0f3 --- /dev/null +++ b/ics-attack/relationship/relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--2a052a49-1d0c-46ab-b762-82446443fbca", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b3aab26c-09c6-4264-af2a-5df260d3d8e2", + "created": "2023-09-28T19:48:58.160Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:48:58.160Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b3b24837-83ed-46c5-ba80-66a832c7072e.json b/ics-attack/relationship/relationship--b3b24837-83ed-46c5-ba80-66a832c7072e.json index 96d33f9676..4de81c85cc 100644 --- a/ics-attack/relationship/relationship--b3b24837-83ed-46c5-ba80-66a832c7072e.json +++ b/ics-attack/relationship/relationship--b3b24837-83ed-46c5-ba80-66a832c7072e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f3119675-1112-494f-8bc0-647dfeccfce8", + "id": "bundle--2575d430-318c-477f-a14e-6f1df5a19701", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919.json b/ics-attack/relationship/relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919.json index 9c3f60ac6a..efbe937b28 100644 --- a/ics-attack/relationship/relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919.json +++ b/ics-attack/relationship/relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a621d982-8a1e-4507-b16e-661a1d365a1d", + "id": "bundle--b67432e2-fc27-4a06-ae0f-c0307826242d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08.json b/ics-attack/relationship/relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08.json new file mode 100644 index 0000000000..0ba032b700 --- /dev/null +++ b/ics-attack/relationship/relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a39ece79-9154-41ff-987a-e9c3f34b8668", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b411f748-a1e9-40c6-8eb3-72f2de4dab08", + "created": "2023-09-28T20:02:20.170Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:02:20.170Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d.json b/ics-attack/relationship/relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d.json index c61beeaa8f..4c27a06e10 100644 --- a/ics-attack/relationship/relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d.json +++ b/ics-attack/relationship/relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e950e24c-bf2b-4b05-b7b2-a115e38d805a", + "id": "bundle--c0ec0ddd-6ed9-451a-b2d3-68d10a7f6ca4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json b/ics-attack/relationship/relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json index 9332748da8..cac77e8f92 100644 --- a/ics-attack/relationship/relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json +++ b/ics-attack/relationship/relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a0ba9925-3b43-4620-a8ff-81125772f3ec", + "id": "bundle--5c881711-daa6-4352-a652-8bcb2721f29a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3.json b/ics-attack/relationship/relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3.json index 04088b9d7b..ed0bd73fa7 100644 --- a/ics-attack/relationship/relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3.json +++ b/ics-attack/relationship/relationship--b48a9fea-26a5-473c-9a5d-fcc3531e1fd3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e09ed040-a27c-4ed9-a628-a84d2efd412b", + "id": "bundle--71f62817-0427-40c9-bca5-516f337269e6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b48be9f9-de0e-4548-ade3-09d47af52798.json b/ics-attack/relationship/relationship--b48be9f9-de0e-4548-ade3-09d47af52798.json index cd899dd9f7..c38b553264 100644 --- a/ics-attack/relationship/relationship--b48be9f9-de0e-4548-ade3-09d47af52798.json +++ b/ics-attack/relationship/relationship--b48be9f9-de0e-4548-ade3-09d47af52798.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--489975a6-9d68-4203-9808-1985edab9e77", + "id": "bundle--a896ebd4-6d4f-49a6-8e90-4eb0139aa0df", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3.json b/ics-attack/relationship/relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3.json index 947170e83a..d656ca9b6c 100644 --- a/ics-attack/relationship/relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3.json +++ b/ics-attack/relationship/relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--09160393-f46e-4f5b-aace-fc9e9e4ee5b2", + "id": "bundle--0e6f301d-7bdd-459e-b981-c4d8afdbcbbf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa.json b/ics-attack/relationship/relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa.json new file mode 100644 index 0000000000..d6b29cca64 --- /dev/null +++ b/ics-attack/relationship/relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b2656946-f146-45f4-a838-cadaf365bcf2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b4bb8bd7-8984-45de-888f-45c51ab157fa", + "created": "2023-09-29T17:45:55.581Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:45:55.581Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1.json b/ics-attack/relationship/relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1.json index 8ae01bb4fd..995127882b 100644 --- a/ics-attack/relationship/relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1.json +++ b/ics-attack/relationship/relationship--b4efcbe0-ffe3-4d9a-8dba-570e68494af1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--56e5a566-4716-49d0-841e-da8bbabf26a4", + "id": "bundle--dc225eb9-222e-4808-8470-b679d36c1c0f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b5979643-fefb-460f-b59c-971efe95f121.json b/ics-attack/relationship/relationship--b5979643-fefb-460f-b59c-971efe95f121.json index 5a1918a89b..496b154e4a 100644 --- a/ics-attack/relationship/relationship--b5979643-fefb-460f-b59c-971efe95f121.json +++ b/ics-attack/relationship/relationship--b5979643-fefb-460f-b59c-971efe95f121.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--223d659a-39c2-4a42-b8c2-90b748295097", + "id": "bundle--cdda552d-45c5-4f3a-b691-666c7df9a609", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b59a96e4-bd70-4459-9609-66563bccd9c3.json b/ics-attack/relationship/relationship--b59a96e4-bd70-4459-9609-66563bccd9c3.json new file mode 100644 index 0000000000..c472f82e36 --- /dev/null +++ b/ics-attack/relationship/relationship--b59a96e4-bd70-4459-9609-66563bccd9c3.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--09e2f31a-1eed-442f-a174-2efb6504e7d5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b59a96e4-bd70-4459-9609-66563bccd9c3", + "created": "2023-09-29T16:38:21.688Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:38:21.688Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json b/ics-attack/relationship/relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json index e55f35f7fd..f7a570cf81 100644 --- a/ics-attack/relationship/relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json +++ b/ics-attack/relationship/relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8c25df13-f12d-4dfa-ba04-c2fa6c2c5ae4", + "id": "bundle--419c7eb4-46a7-4df1-bc57-f56a061931a9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json b/ics-attack/relationship/relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json index 3f6532193f..c2cbd0c253 100644 --- a/ics-attack/relationship/relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json +++ b/ics-attack/relationship/relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--775cb647-c098-496d-97d4-2dbfb2d27a54", + "id": "bundle--79720bd4-94e8-4e5d-9122-34b6aef7ba02", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98.json b/ics-attack/relationship/relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98.json index 46892ab22c..a712b1a202 100644 --- a/ics-attack/relationship/relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98.json +++ b/ics-attack/relationship/relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--73ce8560-73b1-4ace-8530-e35e15ff4b02", + "id": "bundle--9d3a45b5-cf52-48a8-a9ca-b3d7609da018", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b628d878-4f35-4580-8d42-26984d13821e.json b/ics-attack/relationship/relationship--b628d878-4f35-4580-8d42-26984d13821e.json index d7a5ea6f9a..207d76a8be 100644 --- a/ics-attack/relationship/relationship--b628d878-4f35-4580-8d42-26984d13821e.json +++ b/ics-attack/relationship/relationship--b628d878-4f35-4580-8d42-26984d13821e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--32deda02-a9f7-4e26-90e1-5b0377c0dcfd", + "id": "bundle--20a7febd-ff18-4c7f-bac5-de6b474bd661", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b6309476-8268-4c47-920b-8a556cd8ae4c.json b/ics-attack/relationship/relationship--b6309476-8268-4c47-920b-8a556cd8ae4c.json new file mode 100644 index 0000000000..667b9de381 --- /dev/null +++ b/ics-attack/relationship/relationship--b6309476-8268-4c47-920b-8a556cd8ae4c.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c22f5cee-4d94-4eb2-90dc-082e07fce3cf", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b6309476-8268-4c47-920b-8a556cd8ae4c", + "created": "2023-09-29T18:47:07.359Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:47:07.359Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b69905bd-6865-4092-9543-47bd9ae318ec.json b/ics-attack/relationship/relationship--b69905bd-6865-4092-9543-47bd9ae318ec.json new file mode 100644 index 0000000000..884049342f --- /dev/null +++ b/ics-attack/relationship/relationship--b69905bd-6865-4092-9543-47bd9ae318ec.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8dc1ea48-361d-4d51-abf2-c2ab4cc1f855", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b69905bd-6865-4092-9543-47bd9ae318ec", + "created": "2023-09-28T19:54:22.618Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:54:22.618Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json b/ics-attack/relationship/relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json index fd0e92d8cc..7fc07e1048 100644 --- a/ics-attack/relationship/relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json +++ b/ics-attack/relationship/relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3ebf35c6-a888-44eb-b117-f31a9c975974", + "id": "bundle--918a133f-1e8e-4e77-ab6f-53a340921f78", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b7284360-0d80-45bb-8486-263ae8f8fa63.json b/ics-attack/relationship/relationship--b7284360-0d80-45bb-8486-263ae8f8fa63.json new file mode 100644 index 0000000000..aacb8bf334 --- /dev/null +++ b/ics-attack/relationship/relationship--b7284360-0d80-45bb-8486-263ae8f8fa63.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--71b744d6-10c2-408f-998c-35bae2aa4b07", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b7284360-0d80-45bb-8486-263ae8f8fa63", + "created": "2023-09-28T21:26:01.106Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:26:01.106Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json b/ics-attack/relationship/relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json index 2295eb7c26..fa1e6790d8 100644 --- a/ics-attack/relationship/relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json +++ b/ics-attack/relationship/relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d7df4456-ddc0-4e3e-8900-2d7ea7585f7e", + "id": "bundle--1c6f16c8-2788-49b4-8236-476217a697e0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b7344dfb-621b-4558-ab22-6c1f256ee746.json b/ics-attack/relationship/relationship--b7344dfb-621b-4558-ab22-6c1f256ee746.json new file mode 100644 index 0000000000..9e0b1eab5e --- /dev/null +++ b/ics-attack/relationship/relationship--b7344dfb-621b-4558-ab22-6c1f256ee746.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--20b459cc-934b-45d8-add2-18ffbdcdf2c6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b7344dfb-621b-4558-ab22-6c1f256ee746", + "created": "2023-09-29T16:46:27.408Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:46:27.408Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2.json b/ics-attack/relationship/relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2.json new file mode 100644 index 0000000000..4c3b68160b --- /dev/null +++ b/ics-attack/relationship/relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4384c85c-9b85-4542-9612-accfd0733374", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b774fcb4-43bf-4ff1-98c6-0a94838eacc2", + "created": "2023-09-29T18:57:10.064Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:57:10.064Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544.json b/ics-attack/relationship/relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544.json index 81212414aa..eaaff5ed00 100644 --- a/ics-attack/relationship/relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544.json +++ b/ics-attack/relationship/relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e1d1fbad-6a8b-43a7-b9c4-a62e88ebca12", + "id": "bundle--f11fa197-0f99-4681-b99f-460a78b844e8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586.json b/ics-attack/relationship/relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586.json new file mode 100644 index 0000000000..d552d31942 --- /dev/null +++ b/ics-attack/relationship/relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--723c9509-ae5e-47c2-a4fa-a35a185382d8", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b7a9bff5-2e15-4d3d-ac88-84af1239a586", + "created": "2023-09-28T19:51:42.728Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:51:42.728Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b7f23af2-e948-4531-af56-1a1b4d03702f.json b/ics-attack/relationship/relationship--b7f23af2-e948-4531-af56-1a1b4d03702f.json index c9e02c142d..fc4fcf217b 100644 --- a/ics-attack/relationship/relationship--b7f23af2-e948-4531-af56-1a1b4d03702f.json +++ b/ics-attack/relationship/relationship--b7f23af2-e948-4531-af56-1a1b4d03702f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3d8338b3-038a-42a3-905d-445270892cce", + "id": "bundle--31bb1517-93df-41d6-a116-94aa52d05772", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e.json b/ics-attack/relationship/relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e.json new file mode 100644 index 0000000000..b8ab01bdd8 --- /dev/null +++ b/ics-attack/relationship/relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f7b65476-1455-4a27-8254-3e9c3c5b7cab", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--b84e1473-f370-42ad-ac3b-7caf3c8cd00e", + "created": "2023-09-29T18:42:53.573Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:42:53.573Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--b8b1739d-dfa2-44e9-907f-7085e262512f.json b/ics-attack/relationship/relationship--b8b1739d-dfa2-44e9-907f-7085e262512f.json index 1f37b4076c..10b9a458f6 100644 --- a/ics-attack/relationship/relationship--b8b1739d-dfa2-44e9-907f-7085e262512f.json +++ b/ics-attack/relationship/relationship--b8b1739d-dfa2-44e9-907f-7085e262512f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c49e3505-01b0-486e-a584-6f9550cafae9", + "id": "bundle--47a01129-2b5d-4f0f-a407-470347152514", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290.json b/ics-attack/relationship/relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290.json index fa5feb6f93..007bd77f6a 100644 --- a/ics-attack/relationship/relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290.json +++ b/ics-attack/relationship/relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a1339b70-8b06-4420-bc82-8007be6a8236", + "id": "bundle--f347857b-2545-4835-9185-4c3d6699237f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58.json b/ics-attack/relationship/relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58.json index 9246864acf..079e93c3bd 100644 --- a/ics-attack/relationship/relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58.json +++ b/ics-attack/relationship/relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a50178ef-2422-45eb-a7a0-f77d81cb47d2", + "id": "bundle--e4018ffa-fc46-4fe0-a051-4ca28be1e7a4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json b/ics-attack/relationship/relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json index edc23d00bd..076dc40761 100644 --- a/ics-attack/relationship/relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json +++ b/ics-attack/relationship/relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6fa9d28e-9753-4a42-8225-8aa889466d3c", + "id": "bundle--3714bdcb-a9b5-4a3e-bfd7-c986959d7724", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json b/ics-attack/relationship/relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json index e7146a0808..21feaee959 100644 --- a/ics-attack/relationship/relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json +++ b/ics-attack/relationship/relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0acf7611-a4cf-4c17-ae00-689fc9096d7a", + "id": "bundle--ae1714a3-50a4-46a7-a270-aa701d8cfd5d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6.json b/ics-attack/relationship/relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6.json index e3f9434bda..2af2f0f050 100644 --- a/ics-attack/relationship/relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6.json +++ b/ics-attack/relationship/relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dc225eb6-f149-4299-86d2-633c6998f443", + "id": "bundle--19925b98-e9a1-4e89-adbe-bf1fa9186e83", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb.json b/ics-attack/relationship/relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb.json index 2c6876ee53..60eb69e7b3 100644 --- a/ics-attack/relationship/relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb.json +++ b/ics-attack/relationship/relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--30cec28d-5e23-4dac-abbf-a13aed9e1700", + "id": "bundle--c184235a-2491-4326-86cf-734374218e5b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b9e82422-b072-494f-99c1-fcab07b90133.json b/ics-attack/relationship/relationship--b9e82422-b072-494f-99c1-fcab07b90133.json index 7b7f7f77d5..7d88835911 100644 --- a/ics-attack/relationship/relationship--b9e82422-b072-494f-99c1-fcab07b90133.json +++ b/ics-attack/relationship/relationship--b9e82422-b072-494f-99c1-fcab07b90133.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5ad68234-9515-47a2-a9c0-2707f4262947", + "id": "bundle--89aa9b9d-ecf8-4154-9018-599e4c0180b2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba.json b/ics-attack/relationship/relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba.json index c60751accb..2739a81c59 100644 --- a/ics-attack/relationship/relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba.json +++ b/ics-attack/relationship/relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--29c9ca35-d23c-4b2e-8001-3a4d060ca2d8", + "id": "bundle--457451df-38c2-45c8-95c9-093972ac130b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c.json b/ics-attack/relationship/relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c.json new file mode 100644 index 0000000000..8585732453 --- /dev/null +++ b/ics-attack/relationship/relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--00fbba39-7041-4479-87d5-609028632504", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ba496af3-2d99-4c2b-8ce0-20388f5d632c", + "created": "2023-09-28T21:28:36.325Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:28:36.325Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a.json b/ics-attack/relationship/relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a.json new file mode 100644 index 0000000000..d75477b4f7 --- /dev/null +++ b/ics-attack/relationship/relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--2150a1f3-0359-43a9-93f1-c36a00ffd60f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ba943eeb-5673-44b5-acbf-1cddc2fefb1a", + "created": "2023-09-28T20:03:54.209Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:03:54.209Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7.json b/ics-attack/relationship/relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7.json new file mode 100644 index 0000000000..1a91637d2d --- /dev/null +++ b/ics-attack/relationship/relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8f33ff52-1ff6-4f63-8eb1-144ba6fc2541", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--bac1f95c-87bf-4939-bc1a-7727aad738f7", + "created": "2023-09-29T18:49:34.208Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:49:34.208Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--baf4bd30-4213-43c3-b70c-54418e734caf.json b/ics-attack/relationship/relationship--baf4bd30-4213-43c3-b70c-54418e734caf.json index 2b9ea9e1b3..ee34b154dd 100644 --- a/ics-attack/relationship/relationship--baf4bd30-4213-43c3-b70c-54418e734caf.json +++ b/ics-attack/relationship/relationship--baf4bd30-4213-43c3-b70c-54418e734caf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--83d08a91-791a-4c63-9738-4664e4cd1437", + "id": "bundle--9ecfc3f7-984b-40f9-8a9a-697c418630de", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--baf7daf3-2116-4051-91b5-f82e146167d0.json b/ics-attack/relationship/relationship--baf7daf3-2116-4051-91b5-f82e146167d0.json index 2a98f6d3b8..48ba317a21 100644 --- a/ics-attack/relationship/relationship--baf7daf3-2116-4051-91b5-f82e146167d0.json +++ b/ics-attack/relationship/relationship--baf7daf3-2116-4051-91b5-f82e146167d0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9726d56f-90b2-4912-ac4c-138af4de3138", + "id": "bundle--5faf2ae3-6006-4755-9f2e-7377d3c537aa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259.json b/ics-attack/relationship/relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259.json new file mode 100644 index 0000000000..ace3ffe8b5 --- /dev/null +++ b/ics-attack/relationship/relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--97ccb4c9-99e7-4094-936f-9d82fb0415f9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--bb3938a6-85ec-4f34-8bcd-6051de7e9259", + "created": "2023-09-29T16:45:08.209Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:45:08.209Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc.json b/ics-attack/relationship/relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc.json new file mode 100644 index 0000000000..352964b3e3 --- /dev/null +++ b/ics-attack/relationship/relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a1b3bffb-56f1-4a6a-a9ff-f79535c9a7a4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--bbeb2eae-7da2-4477-ad8e-8c67b00c53bc", + "created": "2023-09-28T19:53:44.848Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:53:44.848Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba.json b/ics-attack/relationship/relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba.json index 26a7e03b80..b9f7954280 100644 --- a/ics-attack/relationship/relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba.json +++ b/ics-attack/relationship/relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d0fca85e-1244-4fb2-a6b8-aa02b8190f5e", + "id": "bundle--1aa004dc-fa57-4164-84a9-633a5d66ff9e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b.json b/ics-attack/relationship/relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b.json index 3861e166ff..93c624783c 100644 --- a/ics-attack/relationship/relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b.json +++ b/ics-attack/relationship/relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--468a68b6-8721-495c-b15b-2cf6ddb9be68", + "id": "bundle--2aeb1478-e62b-40b4-af73-95fd87bf4a79", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bc383819-2e40-49b4-bea9-95eb5d418877.json b/ics-attack/relationship/relationship--bc383819-2e40-49b4-bea9-95eb5d418877.json index 3616d5d734..a38e7b9876 100644 --- a/ics-attack/relationship/relationship--bc383819-2e40-49b4-bea9-95eb5d418877.json +++ b/ics-attack/relationship/relationship--bc383819-2e40-49b4-bea9-95eb5d418877.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c8ab2935-7e96-46c6-b3f1-9093ad168f0f", + "id": "bundle--04cc1a0d-d951-4c83-8bbf-2b8ada61f6ff", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9.json b/ics-attack/relationship/relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9.json new file mode 100644 index 0000000000..64e881ecb1 --- /dev/null +++ b/ics-attack/relationship/relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c0e25b17-e3fe-415b-8252-ff4145eda8de", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--bc3a0b1f-f0ec-466f-8cad-8f47b07764c9", + "created": "2023-09-28T21:22:21.776Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:22:21.776Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json b/ics-attack/relationship/relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json index e06679d906..42041ea895 100644 --- a/ics-attack/relationship/relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json +++ b/ics-attack/relationship/relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--45f56e0c-0b6b-4d07-8137-578020f8328e", + "id": "bundle--34549baa-5524-431b-83a9-000207bfe212", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f.json b/ics-attack/relationship/relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f.json index 8f0135d049..6f0a6b2996 100644 --- a/ics-attack/relationship/relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f.json +++ b/ics-attack/relationship/relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1e46fa66-697e-46f0-9f17-f39b627a7a02", + "id": "bundle--1b9f7955-ba45-4c9c-8066-86c4849e1d61", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c.json b/ics-attack/relationship/relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c.json index 0dad24f790..e11545dc41 100644 --- a/ics-attack/relationship/relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c.json +++ b/ics-attack/relationship/relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1e862c06-1281-4547-bda0-74bddaabd565", + "id": "bundle--12e242a5-3eac-46f7-95b0-c38eab431e18", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a.json b/ics-attack/relationship/relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a.json new file mode 100644 index 0000000000..23eeced6f2 --- /dev/null +++ b/ics-attack/relationship/relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--601a8473-b24a-4774-a0b4-ebea8a22aa50", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--bd7509cc-a7e5-4e29-b615-225dfbdd3c4a", + "created": "2023-09-28T21:16:24.310Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:16:24.310Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bd869385-5778-4303-8993-cc6412d12303.json b/ics-attack/relationship/relationship--bd869385-5778-4303-8993-cc6412d12303.json new file mode 100644 index 0000000000..78a95a67ba --- /dev/null +++ b/ics-attack/relationship/relationship--bd869385-5778-4303-8993-cc6412d12303.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a842e9e0-b071-4604-bd49-ad08f26ec222", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--bd869385-5778-4303-8993-cc6412d12303", + "created": "2023-09-29T18:45:59.108Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:45:59.108Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7.json b/ics-attack/relationship/relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7.json index 92f0ec561c..38dfd446a0 100644 --- a/ics-attack/relationship/relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7.json +++ b/ics-attack/relationship/relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3846368e-4821-4637-8f4c-562caba73874", + "id": "bundle--9fe78848-ae11-4059-a35d-ad79408729d8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1.json b/ics-attack/relationship/relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1.json index f841ea4a1a..e52476095e 100644 --- a/ics-attack/relationship/relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1.json +++ b/ics-attack/relationship/relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--74af336c-77f0-44f6-92c3-66bcb0e07711", + "id": "bundle--624f030e-5d71-4079-be5e-638c37bb7146", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--be0f7d83-2441-4259-b411-46e0d10566b1.json b/ics-attack/relationship/relationship--be0f7d83-2441-4259-b411-46e0d10566b1.json new file mode 100644 index 0000000000..6acc0c7407 --- /dev/null +++ b/ics-attack/relationship/relationship--be0f7d83-2441-4259-b411-46e0d10566b1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--83da8952-9095-4eda-bd52-99cce9119d56", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--be0f7d83-2441-4259-b411-46e0d10566b1", + "created": "2023-10-02T20:23:24.179Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:23:24.179Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--be532c78-daf5-431b-adae-ab11af395513.json b/ics-attack/relationship/relationship--be532c78-daf5-431b-adae-ab11af395513.json index 743cd1f703..5fb010c1cd 100644 --- a/ics-attack/relationship/relationship--be532c78-daf5-431b-adae-ab11af395513.json +++ b/ics-attack/relationship/relationship--be532c78-daf5-431b-adae-ab11af395513.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d98fa182-8c92-4f69-8c98-89b7f4c86514", + "id": "bundle--c7becc2d-38ac-4861-91cf-cf757da7f34a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--be950e87-80ac-49ea-810a-553c7f72151b.json b/ics-attack/relationship/relationship--be950e87-80ac-49ea-810a-553c7f72151b.json index aa569abee8..cef07047e6 100644 --- a/ics-attack/relationship/relationship--be950e87-80ac-49ea-810a-553c7f72151b.json +++ b/ics-attack/relationship/relationship--be950e87-80ac-49ea-810a-553c7f72151b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--66ad9351-0e8c-436c-a048-9f5fdbfb467e", + "id": "bundle--f671918d-be1a-4117-9886-d25c73151052", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2.json b/ics-attack/relationship/relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2.json new file mode 100644 index 0000000000..28a51aa0a2 --- /dev/null +++ b/ics-attack/relationship/relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--79279f26-fe5f-4d69-a083-d07480fef83c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--beafc44c-228f-4a7e-9d92-ac1b16d730e2", + "created": "2023-09-28T20:31:17.116Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:31:17.116Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76.json b/ics-attack/relationship/relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76.json new file mode 100644 index 0000000000..e550084222 --- /dev/null +++ b/ics-attack/relationship/relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d796db89-2d31-4fb5-a622-30c06a9353ce", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--bf5356b1-d00e-43c3-ba92-ae504a737d76", + "created": "2023-09-29T16:46:12.472Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:46:12.472Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3.json b/ics-attack/relationship/relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3.json index bd2d97cd09..084f772374 100644 --- a/ics-attack/relationship/relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3.json +++ b/ics-attack/relationship/relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--96de8d4e-b624-45a7-bb15-ab14e87e0c91", + "id": "bundle--7f3ee911-00a7-46f1-ad41-fcffa014f5be", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bf8e68fe-1969-48d1-be0e-ec742378748d.json b/ics-attack/relationship/relationship--bf8e68fe-1969-48d1-be0e-ec742378748d.json new file mode 100644 index 0000000000..531fe9024d --- /dev/null +++ b/ics-attack/relationship/relationship--bf8e68fe-1969-48d1-be0e-ec742378748d.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d8223c4c-6f3c-4bec-8331-352577a139d6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--bf8e68fe-1969-48d1-be0e-ec742378748d", + "created": "2023-09-29T18:56:34.302Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:56:34.302Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302.json b/ics-attack/relationship/relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302.json new file mode 100644 index 0000000000..22d538f135 --- /dev/null +++ b/ics-attack/relationship/relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--5baa84e4-9ee2-49a7-854e-d031e4801fee", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--bf8f90a2-4d3a-436d-87d0-eff060fb2302", + "created": "2023-09-29T18:06:02.077Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:06:02.077Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bf9f227c-e306-4257-add1-39c7c2e42040.json b/ics-attack/relationship/relationship--bf9f227c-e306-4257-add1-39c7c2e42040.json new file mode 100644 index 0000000000..3fdca6d8a0 --- /dev/null +++ b/ics-attack/relationship/relationship--bf9f227c-e306-4257-add1-39c7c2e42040.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3cc37ffb-2fe5-4b1e-a7d0-a324980983f2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--bf9f227c-e306-4257-add1-39c7c2e42040", + "created": "2023-09-29T18:47:28.758Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:47:28.758Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1.json b/ics-attack/relationship/relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1.json index fdb84f0b3a..c15bcdef89 100644 --- a/ics-attack/relationship/relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1.json +++ b/ics-attack/relationship/relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fb306f5b-d3d9-4d20-802d-eb8338d9d5b8", + "id": "bundle--87e0cc50-e9cc-4308-8b6c-6990baae5deb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bffad8de-a807-4216-9753-008a87d9d77f.json b/ics-attack/relationship/relationship--bffad8de-a807-4216-9753-008a87d9d77f.json new file mode 100644 index 0000000000..788c993de3 --- /dev/null +++ b/ics-attack/relationship/relationship--bffad8de-a807-4216-9753-008a87d9d77f.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--44be4653-9080-448f-9950-899f684729a7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--bffad8de-a807-4216-9753-008a87d9d77f", + "created": "2023-09-28T19:56:40.730Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:56:40.730Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef.json b/ics-attack/relationship/relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef.json new file mode 100644 index 0000000000..93d9221999 --- /dev/null +++ b/ics-attack/relationship/relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--10204b69-78f9-4451-8801-7b8503a58576", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c047df7c-3ed7-455f-8b13-14ced8e93fef", + "created": "2023-09-28T21:17:47.080Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:17:47.080Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c0efb24a-2329-401a-bba6-817f2867bb3f.json b/ics-attack/relationship/relationship--c0efb24a-2329-401a-bba6-817f2867bb3f.json index 8bfdd2d030..3e855aba84 100644 --- a/ics-attack/relationship/relationship--c0efb24a-2329-401a-bba6-817f2867bb3f.json +++ b/ics-attack/relationship/relationship--c0efb24a-2329-401a-bba6-817f2867bb3f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--21f8ece5-6692-4eab-b0bd-6e1316f991a7", + "id": "bundle--50e32a5b-7e11-4611-a95d-d5cac9f26c41", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f.json b/ics-attack/relationship/relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f.json index dc4eb814e0..3210153c09 100644 --- a/ics-attack/relationship/relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f.json +++ b/ics-attack/relationship/relationship--c1154a56-6f5f-4760-8b34-79b0e8a79c1f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9077e6e6-3a7d-45ad-8bc2-9e171749ff3f", + "id": "bundle--68e4525c-4a6b-4841-a6bb-0f83f28e8e1f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4.json b/ics-attack/relationship/relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4.json index 452c49bf4b..c8eb95fbae 100644 --- a/ics-attack/relationship/relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4.json +++ b/ics-attack/relationship/relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c030fef9-7393-49fa-9d7f-270804666755", + "id": "bundle--574d8fe0-a8c9-479f-b207-96f0a2113789", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2.json b/ics-attack/relationship/relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2.json index 76977fe325..51c4c78e72 100644 --- a/ics-attack/relationship/relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2.json +++ b/ics-attack/relationship/relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1f78d197-b9d1-463a-b993-4193cfd4a919", + "id": "bundle--97b40272-3bcf-4b86-80d0-0212a91395ac", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2.json b/ics-attack/relationship/relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2.json new file mode 100644 index 0000000000..557d2429b7 --- /dev/null +++ b/ics-attack/relationship/relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--086e1bbc-31fd-48d2-b66c-d0dd01245b38", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c1d77f83-23ec-4128-afd1-ed8ea12281a2", + "created": "2023-09-29T18:09:02.311Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:09:02.311Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553.json b/ics-attack/relationship/relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553.json new file mode 100644 index 0000000000..bda2887926 --- /dev/null +++ b/ics-attack/relationship/relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d6103c97-d8ea-4163-b897-7693a985a044", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c1e051ab-0a11-4d29-b98f-aa442ab69553", + "created": "2023-09-29T17:09:48.178Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:09:48.178Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5.json b/ics-attack/relationship/relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5.json new file mode 100644 index 0000000000..dc18aa9b60 --- /dev/null +++ b/ics-attack/relationship/relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--528890c8-c04c-4a00-b3f3-900347a32551", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c2168fe8-be19-4df5-808e-ed87c9c0e1c5", + "created": "2023-09-29T16:28:39.397Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:28:39.397Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c22acaab-baa4-45b0-9c4b-9330715e5455.json b/ics-attack/relationship/relationship--c22acaab-baa4-45b0-9c4b-9330715e5455.json deleted file mode 100644 index 24c70baca4..0000000000 --- a/ics-attack/relationship/relationship--c22acaab-baa4-45b0-9c4b-9330715e5455.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--fb862ec0-1a61-42cc-a724-9bb6ea0dbe23", - "spec_version": "2.0", - "objects": [ - { - "type": "relationship", - "id": "relationship--c22acaab-baa4-45b0-9c4b-9330715e5455", - "created": "2022-10-13T21:18:17.775Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Pinellas County Sheriffs Office February 2021", - "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", - "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-18T13:26:03.133Z", - "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors utilized an operator HMI to manipulate process control setpoint values far beyond normal operating levels.(Citation: Pinellas County Sheriffs Office February 2021)", - "relationship_type": "uses", - "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", - "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - } - ] -} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c233df49-e450-4151-8a0f-1765faf3d75a.json b/ics-attack/relationship/relationship--c233df49-e450-4151-8a0f-1765faf3d75a.json new file mode 100644 index 0000000000..c7a328404a --- /dev/null +++ b/ics-attack/relationship/relationship--c233df49-e450-4151-8a0f-1765faf3d75a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d48a21ff-db18-4f2a-8e94-bead4b96df91", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c233df49-e450-4151-8a0f-1765faf3d75a", + "created": "2023-09-29T17:08:08.883Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:08:08.883Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2.json b/ics-attack/relationship/relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2.json index 20b2df07e5..e89465cc99 100644 --- a/ics-attack/relationship/relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2.json +++ b/ics-attack/relationship/relationship--c2484b15-7dd0-4280-8898-a6a7da6f0ca2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--434100dd-50f8-4842-aba6-7c0d82522a63", + "id": "bundle--6e2d5348-42a9-4e63-ba3c-4bbccea8fc94", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f.json b/ics-attack/relationship/relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f.json new file mode 100644 index 0000000000..4434d908b5 --- /dev/null +++ b/ics-attack/relationship/relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b8f4699f-85c4-4291-bda8-81fa5e3f3220", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c27e676e-1ac0-4ec8-bf9d-f540969c6b6f", + "created": "2023-09-29T17:59:54.204Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:59:54.204Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json b/ics-attack/relationship/relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json index 52572c5ddc..07d0a574d5 100644 --- a/ics-attack/relationship/relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json +++ b/ics-attack/relationship/relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--029d4269-7b86-4e51-80ae-4a0b145e43ad", + "id": "bundle--863de4d9-f677-4e78-bf91-a279e7c7d9ba", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json b/ics-attack/relationship/relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json index 2d51be6153..479d210152 100644 --- a/ics-attack/relationship/relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json +++ b/ics-attack/relationship/relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7151c807-af1c-4bb9-997e-8800a0ec6b4e", + "id": "bundle--d2e4d5e0-5a50-4e9d-be18-011fdbe61f20", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c37f097a-9698-412f-9e96-4d350bcd2790.json b/ics-attack/relationship/relationship--c37f097a-9698-412f-9e96-4d350bcd2790.json new file mode 100644 index 0000000000..6ac3ba9bab --- /dev/null +++ b/ics-attack/relationship/relationship--c37f097a-9698-412f-9e96-4d350bcd2790.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c31dc644-ba3b-4969-b837-dfaeeda23759", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c37f097a-9698-412f-9e96-4d350bcd2790", + "created": "2023-09-29T16:44:26.728Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:44:26.728Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608.json b/ics-attack/relationship/relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608.json new file mode 100644 index 0000000000..60c57cdd02 --- /dev/null +++ b/ics-attack/relationship/relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b7669783-c463-475a-b01c-5f204b146fc1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c39be68a-e208-47ac-a7be-6eb6e84d6608", + "created": "2023-09-29T18:49:14.639Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:49:14.639Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c4122b58-f1b2-4656-a715-55016700bf75.json b/ics-attack/relationship/relationship--c4122b58-f1b2-4656-a715-55016700bf75.json index 2ca338b5fd..69139788ca 100644 --- a/ics-attack/relationship/relationship--c4122b58-f1b2-4656-a715-55016700bf75.json +++ b/ics-attack/relationship/relationship--c4122b58-f1b2-4656-a715-55016700bf75.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7446a2a0-fa6d-492f-8249-49f8c393208f", + "id": "bundle--11a88dc1-c0a7-4419-ab7d-a8da870dd113", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b.json b/ics-attack/relationship/relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b.json new file mode 100644 index 0000000000..2d3a7a9c63 --- /dev/null +++ b/ics-attack/relationship/relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--2f0c3397-ce37-4145-9665-7a729145422b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c41d20c8-b99e-4de8-a0e5-3e0ef3b4275b", + "created": "2023-10-02T20:21:06.420Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:21:06.420Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa.json b/ics-attack/relationship/relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa.json index 7963a3bc7d..01c5a53bcf 100644 --- a/ics-attack/relationship/relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa.json +++ b/ics-attack/relationship/relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9090d35e-15ef-4c95-ae7c-c6cb8269b1f7", + "id": "bundle--cf83c30a-b6dd-4493-8a96-84bc5d1267c0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c4718fa2-2592-44b0-87d0-f866c118a779.json b/ics-attack/relationship/relationship--c4718fa2-2592-44b0-87d0-f866c118a779.json new file mode 100644 index 0000000000..8d2fedc024 --- /dev/null +++ b/ics-attack/relationship/relationship--c4718fa2-2592-44b0-87d0-f866c118a779.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e45fe81f-77a7-41e5-9389-e87f5f52f075", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c4718fa2-2592-44b0-87d0-f866c118a779", + "created": "2023-09-29T18:07:09.213Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:07:09.213Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95.json b/ics-attack/relationship/relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95.json index 7c9e2ec022..bfcd28aca7 100644 --- a/ics-attack/relationship/relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95.json +++ b/ics-attack/relationship/relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5484be4b-a35c-4506-baaf-82dcf688275f", + "id": "bundle--19d4361f-4aff-4b55-bc1a-982a8f68675f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c4a50132-a210-4093-878d-3d6df23ed26e.json b/ics-attack/relationship/relationship--c4a50132-a210-4093-878d-3d6df23ed26e.json new file mode 100644 index 0000000000..265584e68e --- /dev/null +++ b/ics-attack/relationship/relationship--c4a50132-a210-4093-878d-3d6df23ed26e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--15b1fbb1-fdd1-4432-98fa-255b9bdb8b4b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c4a50132-a210-4093-878d-3d6df23ed26e", + "created": "2023-09-29T17:10:09.146Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:10:09.146Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37.json b/ics-attack/relationship/relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37.json new file mode 100644 index 0000000000..32e69d4bea --- /dev/null +++ b/ics-attack/relationship/relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ef8835a8-1925-4e4b-8fd0-4c4677b0cfe3", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c4b036ee-be86-48cb-9f01-ab8f78e5bb37", + "created": "2023-09-28T20:15:05.405Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:15:05.405Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235.json b/ics-attack/relationship/relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235.json index 20cac75a2b..e8a9caeaf5 100644 --- a/ics-attack/relationship/relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235.json +++ b/ics-attack/relationship/relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dce523ec-55bd-4aee-9e36-b96428345666", + "id": "bundle--70cddbf3-7632-4df0-ac9e-f92be96a9019", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c58563a8-d757-4476-8ae2-beb2acce38b3.json b/ics-attack/relationship/relationship--c58563a8-d757-4476-8ae2-beb2acce38b3.json new file mode 100644 index 0000000000..7e274cd013 --- /dev/null +++ b/ics-attack/relationship/relationship--c58563a8-d757-4476-8ae2-beb2acce38b3.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d69f4b3a-8d13-492c-98bb-e7ae8e691578", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c58563a8-d757-4476-8ae2-beb2acce38b3", + "created": "2023-10-02T20:20:55.473Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:20:55.473Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json b/ics-attack/relationship/relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json index e78837df8c..5d4156398f 100644 --- a/ics-attack/relationship/relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json +++ b/ics-attack/relationship/relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--95b5a90f-1e87-48f2-985f-c68c280fbf15", + "id": "bundle--34d7ff3f-a40b-4645-8c3e-10fb36c77a80", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd.json b/ics-attack/relationship/relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd.json new file mode 100644 index 0000000000..0f63b02e4d --- /dev/null +++ b/ics-attack/relationship/relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--0005d055-b6c8-400d-9746-4128d811a753", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c5a69738-3e80-421d-aba2-bdab8a4029fd", + "created": "2023-09-29T18:43:49.839Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:43:49.839Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json b/ics-attack/relationship/relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json index 1bf73e9083..de94fb9bbd 100644 --- a/ics-attack/relationship/relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json +++ b/ics-attack/relationship/relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a9856822-b741-404c-b2f9-d63dd035cd03", + "id": "bundle--0fba36e3-9390-402c-89ef-b1a7db745d09", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c5fd0969-c151-4849-94c2-83e2e208cff7.json b/ics-attack/relationship/relationship--c5fd0969-c151-4849-94c2-83e2e208cff7.json index d574bbf53e..d914935a21 100644 --- a/ics-attack/relationship/relationship--c5fd0969-c151-4849-94c2-83e2e208cff7.json +++ b/ics-attack/relationship/relationship--c5fd0969-c151-4849-94c2-83e2e208cff7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a28f2e0f-1313-453d-bef9-422a462db30d", + "id": "bundle--80308166-cc14-4990-bb16-bb10ba253e3d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1.json b/ics-attack/relationship/relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1.json index 32a6405ef2..4f3a715d22 100644 --- a/ics-attack/relationship/relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1.json +++ b/ics-attack/relationship/relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--11f01912-ae70-462a-96ce-28fc87cf1206", + "id": "bundle--822e7321-3c27-4a22-be1f-0f6a7e6ae12e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json b/ics-attack/relationship/relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json index 8713015ede..529c8e0bb3 100644 --- a/ics-attack/relationship/relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json +++ b/ics-attack/relationship/relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1a946634-f54f-4222-89a1-d1dc6a5a04a4", + "id": "bundle--0fa81b8a-d8ef-48ba-8a00-6f2d958cfb41", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c6520346-fe47-44ce-af75-d99004ac2977.json b/ics-attack/relationship/relationship--c6520346-fe47-44ce-af75-d99004ac2977.json index cdb5d4f5c2..4797ec5932 100644 --- a/ics-attack/relationship/relationship--c6520346-fe47-44ce-af75-d99004ac2977.json +++ b/ics-attack/relationship/relationship--c6520346-fe47-44ce-af75-d99004ac2977.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--26667b31-149d-4254-99fe-47d9f99fe727", + "id": "bundle--83d13db7-5683-47a7-9a15-08afa2bd4aa8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc.json b/ics-attack/relationship/relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc.json index 9967c697bc..445ee07908 100644 --- a/ics-attack/relationship/relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc.json +++ b/ics-attack/relationship/relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--172a3a25-9244-4061-a6e4-3ae4cbf8aee2", + "id": "bundle--9d8066a9-b77d-485e-822f-d703fc1a0eb5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36.json b/ics-attack/relationship/relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36.json new file mode 100644 index 0000000000..3d13453361 --- /dev/null +++ b/ics-attack/relationship/relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ec71faf5-4514-402c-b74b-755f312c87fe", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c65e39eb-f6d1-4e3a-9070-b2fa7ea35b36", + "created": "2023-09-28T21:27:50.246Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:27:50.246Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4.json b/ics-attack/relationship/relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4.json index 459cda2c82..62427416a0 100644 --- a/ics-attack/relationship/relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4.json +++ b/ics-attack/relationship/relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0b8f62fa-1bb5-4644-8a63-3aae9d3f1f72", + "id": "bundle--03748773-f37f-4532-88d9-a3f62a4ebf25", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c67e3535-69a9-4234-8170-4ad6efc632b7.json b/ics-attack/relationship/relationship--c67e3535-69a9-4234-8170-4ad6efc632b7.json index dc1a8357be..da7ee86958 100644 --- a/ics-attack/relationship/relationship--c67e3535-69a9-4234-8170-4ad6efc632b7.json +++ b/ics-attack/relationship/relationship--c67e3535-69a9-4234-8170-4ad6efc632b7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b74a90c0-ef53-40ca-8645-a76beb0cc89e", + "id": "bundle--00633794-0df7-41c7-9538-16bcd3841361", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6.json b/ics-attack/relationship/relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6.json index 76bf168353..28d9121720 100644 --- a/ics-attack/relationship/relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6.json +++ b/ics-attack/relationship/relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cf9699b7-ae30-49df-8905-3d583bd80c7d", + "id": "bundle--f6750bf9-9d54-45ae-b1f2-9f52a46b96af", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8.json b/ics-attack/relationship/relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8.json new file mode 100644 index 0000000000..daef1a9dcf --- /dev/null +++ b/ics-attack/relationship/relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--52438d37-d329-4fe0-89cf-902fab4eaff9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c6a05c20-02d4-42ce-ad5c-280c604e13d8", + "created": "2023-09-29T17:59:11.267Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:59:11.267Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374.json b/ics-attack/relationship/relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374.json index 4e170d8f4c..9244855668 100644 --- a/ics-attack/relationship/relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374.json +++ b/ics-attack/relationship/relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--58597a8d-f771-4ff5-b110-d1706757c95c", + "id": "bundle--a0df1f53-65f7-4bd8-a209-3bada81f58b5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1.json b/ics-attack/relationship/relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1.json index cda973e093..ce1c97286a 100644 --- a/ics-attack/relationship/relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1.json +++ b/ics-attack/relationship/relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3e33f2cc-8702-4351-9b69-f107d35d6fce", + "id": "bundle--641a3eff-850f-4475-a071-4adddfeeff04", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b.json b/ics-attack/relationship/relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b.json index 86e5340462..4d63b73e83 100644 --- a/ics-attack/relationship/relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b.json +++ b/ics-attack/relationship/relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ab898521-30be-4d92-aa9b-849e7e8e171e", + "id": "bundle--3997ec05-a622-4b5f-b59e-23ed79770e76", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68.json b/ics-attack/relationship/relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68.json index 4a9b359fd9..ebf8462970 100644 --- a/ics-attack/relationship/relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68.json +++ b/ics-attack/relationship/relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9fca5224-44ed-4619-827b-add8eea35138", + "id": "bundle--ed9626c9-2ff8-4b18-8615-ab838dcb0a4f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json b/ics-attack/relationship/relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json index 30dcba0b11..e5cda11b69 100644 --- a/ics-attack/relationship/relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json +++ b/ics-attack/relationship/relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--83830c0f-a21a-42c3-b345-9f64f7622450", + "id": "bundle--c9c8f95f-4290-4809-940e-3ac5cbee72fd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c.json b/ics-attack/relationship/relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c.json index 5fc3be3b04..e2e3ff1c38 100644 --- a/ics-attack/relationship/relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c.json +++ b/ics-attack/relationship/relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--291b3a05-f2af-4bac-a980-5a92b9e82372", + "id": "bundle--5f70119f-7919-40a1-9d20-1efb1dc6bfab", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json b/ics-attack/relationship/relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json index 04f31f2c3c..506f8bc91f 100644 --- a/ics-attack/relationship/relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json +++ b/ics-attack/relationship/relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--58753339-97b8-46d3-8d3d-ae4b8489d3c9", + "id": "bundle--d4b1ce90-9d97-4ec3-9419-919b89f25257", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json b/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json index d3bd0d1423..14c1d3f44e 100644 --- a/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json +++ b/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--85b1470c-af24-49cd-aeb4-e7906ef10aa6", + "id": "bundle--c8f54e54-e919-40b4-bd0c-db9a031c7717", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a.json b/ics-attack/relationship/relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a.json new file mode 100644 index 0000000000..3313ec1bd3 --- /dev/null +++ b/ics-attack/relationship/relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--0def4203-e835-4978-83e5-040f6d005464", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c8e78d6f-ac9d-4ad3-ae13-238f1eb4423a", + "created": "2023-09-27T13:22:13.265Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-27T13:25:51.965Z", + "description": "(Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c9065f74-556d-4728-8072-f96642e70316.json b/ics-attack/relationship/relationship--c9065f74-556d-4728-8072-f96642e70316.json index 084b1327c4..da0cb763da 100644 --- a/ics-attack/relationship/relationship--c9065f74-556d-4728-8072-f96642e70316.json +++ b/ics-attack/relationship/relationship--c9065f74-556d-4728-8072-f96642e70316.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9a4b54b3-f8ba-435b-9b1c-34aec0d5ff45", + "id": "bundle--6957435f-a188-4418-bf11-a63d94679f09", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d.json b/ics-attack/relationship/relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d.json index 8eb82c773f..6c0ae87ab1 100644 --- a/ics-attack/relationship/relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d.json +++ b/ics-attack/relationship/relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7a8d5999-a24f-4d4e-a340-351ea0c9d6f8", + "id": "bundle--98d5cf0d-688c-4982-ac96-ef197b64950c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c.json b/ics-attack/relationship/relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c.json index 707642d686..ebc21790c1 100644 --- a/ics-attack/relationship/relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c.json +++ b/ics-attack/relationship/relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--518fa43e-406c-4037-8f94-129ad8550abf", + "id": "bundle--c3a18145-4171-409b-be4d-2bdcc65af3be", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c95850f4-4616-435c-b237-f1985833d40e.json b/ics-attack/relationship/relationship--c95850f4-4616-435c-b237-f1985833d40e.json new file mode 100644 index 0000000000..081d310e6e --- /dev/null +++ b/ics-attack/relationship/relationship--c95850f4-4616-435c-b237-f1985833d40e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--18679bab-810c-4e1d-8d20-10151e21a81e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c95850f4-4616-435c-b237-f1985833d40e", + "created": "2023-09-29T16:29:39.918Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:29:39.918Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--c9fb4adb-8064-426a-838d-c93674fb380b.json b/ics-attack/relationship/relationship--c9fb4adb-8064-426a-838d-c93674fb380b.json new file mode 100644 index 0000000000..67b7e46d3b --- /dev/null +++ b/ics-attack/relationship/relationship--c9fb4adb-8064-426a-838d-c93674fb380b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--cc264039-3981-4779-84c4-1d55e56b9cd9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--c9fb4adb-8064-426a-838d-c93674fb380b", + "created": "2023-09-29T18:44:38.035Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:44:38.035Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69.json b/ics-attack/relationship/relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69.json index 4e6be53149..6df596496b 100644 --- a/ics-attack/relationship/relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69.json +++ b/ics-attack/relationship/relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8619e52d-6d5d-4368-87b9-7abf53922638", + "id": "bundle--1762ef5b-b362-4db5-9cd3-a217611a0c75", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ca13a117-aae0-4802-878b-c09f4a04dd31.json b/ics-attack/relationship/relationship--ca13a117-aae0-4802-878b-c09f4a04dd31.json new file mode 100644 index 0000000000..1f9dad05e7 --- /dev/null +++ b/ics-attack/relationship/relationship--ca13a117-aae0-4802-878b-c09f4a04dd31.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--69127718-88e0-4e7e-b56d-91eb18a873f5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ca13a117-aae0-4802-878b-c09f4a04dd31", + "created": "2023-09-28T20:06:50.018Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:06:50.018Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb.json b/ics-attack/relationship/relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb.json index d02ff9c790..5f1d4f9ab9 100644 --- a/ics-attack/relationship/relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb.json +++ b/ics-attack/relationship/relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4b570ac5-81b9-4efd-8942-03f5cfd88a76", + "id": "bundle--16397d78-4198-4e5b-a535-4f43954df955", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ca5c7ae7-5273-4888-bc50-183d6e200972.json b/ics-attack/relationship/relationship--ca5c7ae7-5273-4888-bc50-183d6e200972.json index b240987927..00240316f8 100644 --- a/ics-attack/relationship/relationship--ca5c7ae7-5273-4888-bc50-183d6e200972.json +++ b/ics-attack/relationship/relationship--ca5c7ae7-5273-4888-bc50-183d6e200972.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c5bf9473-288f-4cba-8310-ba90d2b6a428", + "id": "bundle--4fb4aa7a-446d-4a2f-bae1-ad0550eb19c3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ca64a927-f050-41b3-80d3-93d22cdef26a.json b/ics-attack/relationship/relationship--ca64a927-f050-41b3-80d3-93d22cdef26a.json index bbdcf678ff..0cf3fa213d 100644 --- a/ics-attack/relationship/relationship--ca64a927-f050-41b3-80d3-93d22cdef26a.json +++ b/ics-attack/relationship/relationship--ca64a927-f050-41b3-80d3-93d22cdef26a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ae2ec66b-e313-4e6f-ad16-829b31d5bcaa", + "id": "bundle--e733762b-2192-48a0-98cc-676fa5cd7be8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ca768c2a-0f14-471c-90a5-bce649e88d51.json b/ics-attack/relationship/relationship--ca768c2a-0f14-471c-90a5-bce649e88d51.json index 183f0b9f54..b183d11bc6 100644 --- a/ics-attack/relationship/relationship--ca768c2a-0f14-471c-90a5-bce649e88d51.json +++ b/ics-attack/relationship/relationship--ca768c2a-0f14-471c-90a5-bce649e88d51.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e614fc42-d4ea-408f-87bc-4ec5ee7d4ec8", + "id": "bundle--e815360f-2db9-4b72-b5ac-4e13143d4d24", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1.json b/ics-attack/relationship/relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1.json index 8849f3a66a..121cc38896 100644 --- a/ics-attack/relationship/relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1.json +++ b/ics-attack/relationship/relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9157ebb3-33d9-47aa-95fe-8add81c93a36", + "id": "bundle--432b2467-e577-4ac3-8842-c64d709549b8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json b/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json index 1a75d42ac0..1d44809034 100644 --- a/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json +++ b/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--94e536a9-71b0-4035-b79e-c4cbcb7574f5", + "id": "bundle--ca585647-5f67-4e67-ba57-2f014402b7cb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d.json b/ics-attack/relationship/relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d.json index a8eb687490..334077ac19 100644 --- a/ics-attack/relationship/relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d.json +++ b/ics-attack/relationship/relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d.json @@ -1,24 +1,26 @@ { "type": "bundle", - "id": "bundle--6c9b6666-e78e-4698-abe6-d14ea83cb658", + "id": "bundle--7f6d3709-b51a-4611-b328-e69e4dd66150", "spec_version": "2.0", "objects": [ { + "type": "relationship", + "id": "relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "relationship", - "id": "relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.178Z", + "modified": "2023-09-25T20:48:12.637Z", + "description": "Utilize code signatures to verify the integrity and authenticity of programs downloaded to the device.\n", "relationship_type": "mitigates", - "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034.json b/ics-attack/relationship/relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034.json index 8914082871..ae4047abb5 100644 --- a/ics-attack/relationship/relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034.json +++ b/ics-attack/relationship/relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--20fb6b3a-9f6b-4445-aa85-973087ca46b7", + "id": "bundle--b10a39cb-70ee-4174-8c1d-0560ec81b484", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd.json b/ics-attack/relationship/relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd.json new file mode 100644 index 0000000000..87c6e7a2a9 --- /dev/null +++ b/ics-attack/relationship/relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8a3044e7-e665-4995-b353-5c59909a3515", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--cb47a3bb-daec-4aa1-9a92-af2a61bb65cd", + "created": "2023-09-28T21:14:29.099Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:14:29.099Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3.json b/ics-attack/relationship/relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3.json index 6c1dea78c2..22bec39b04 100644 --- a/ics-attack/relationship/relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3.json +++ b/ics-attack/relationship/relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--54243898-b40e-4360-922d-6974f0a93e18", + "id": "bundle--ea407a68-b450-40b8-aa7a-957ebb3ab762", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794.json b/ics-attack/relationship/relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794.json index be1341ff7d..ba0358e8e0 100644 --- a/ics-attack/relationship/relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794.json +++ b/ics-attack/relationship/relationship--cb6d67c0-33ba-4c49-ae70-d0e4f0f68794.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--938e8a58-386e-4ce3-a0f2-1717bce1fedb", + "id": "bundle--9f888618-40da-48d2-b701-8f922d189cf6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cba8313b-c338-45f7-88ef-a514094882ac.json b/ics-attack/relationship/relationship--cba8313b-c338-45f7-88ef-a514094882ac.json index a990287c5e..ca7aab201f 100644 --- a/ics-attack/relationship/relationship--cba8313b-c338-45f7-88ef-a514094882ac.json +++ b/ics-attack/relationship/relationship--cba8313b-c338-45f7-88ef-a514094882ac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a16c9efa-16c9-44c8-adbd-9c58c734e641", + "id": "bundle--5bf65a08-680f-4be2-af41-76252d62a63a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749.json b/ics-attack/relationship/relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749.json new file mode 100644 index 0000000000..83a88d6d12 --- /dev/null +++ b/ics-attack/relationship/relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--89d1c8a2-2346-4c19-b1e5-93c0fb4f0364", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--cbee31a0-716c-4b10-83f0-aa889bfb4749", + "created": "2023-10-20T17:05:25.595Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-20T17:05:25.595Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a.json b/ics-attack/relationship/relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a.json new file mode 100644 index 0000000000..78642f709c --- /dev/null +++ b/ics-attack/relationship/relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3bdeeaf1-b674-433f-b723-e6ca334f9bea", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--cc5c77ce-c5a3-4791-b80e-09d35282443a", + "created": "2023-09-29T16:30:08.166Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:30:08.166Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cca191a1-3c50-4d4f-8f79-4247e58af610.json b/ics-attack/relationship/relationship--cca191a1-3c50-4d4f-8f79-4247e58af610.json index 20a4fc47a9..219e174834 100644 --- a/ics-attack/relationship/relationship--cca191a1-3c50-4d4f-8f79-4247e58af610.json +++ b/ics-attack/relationship/relationship--cca191a1-3c50-4d4f-8f79-4247e58af610.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--086b4996-4878-491f-968a-83eb6b9a4f5e", + "id": "bundle--39404db4-16ce-4a34-b2ce-096d95b52cd7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c.json b/ics-attack/relationship/relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c.json index 0fdc6c5b21..207eed9dd9 100644 --- a/ics-attack/relationship/relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c.json +++ b/ics-attack/relationship/relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b540ad49-7aac-4807-8633-61acfd0dceeb", + "id": "bundle--d3d1040c-4c8c-41e3-84ee-020acedf8611", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json b/ics-attack/relationship/relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json index 19a35dcf2d..a06fddb5ea 100644 --- a/ics-attack/relationship/relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json +++ b/ics-attack/relationship/relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--787ad350-442e-4f15-aa9e-1a58ba54d83a", + "id": "bundle--c0aed992-b6f9-41c0-83a6-98580d9baf2d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ccbb44ad-2220-4260-99ce-9142c44fc797.json b/ics-attack/relationship/relationship--ccbb44ad-2220-4260-99ce-9142c44fc797.json new file mode 100644 index 0000000000..6bd659059f --- /dev/null +++ b/ics-attack/relationship/relationship--ccbb44ad-2220-4260-99ce-9142c44fc797.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--fbfdd4f9-718d-4a30-a3e9-d74a5a5455c9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ccbb44ad-2220-4260-99ce-9142c44fc797", + "created": "2023-09-28T21:10:03.272Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:10:03.272Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json b/ics-attack/relationship/relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json index e57f0e0a10..4e0424e98d 100644 --- a/ics-attack/relationship/relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json +++ b/ics-attack/relationship/relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--361cdf41-058a-4550-a247-392c09f30e22", + "id": "bundle--c3993c53-3639-48a5-9524-bac82cfb9ecb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json b/ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json index dee28728f5..c14de71f2b 100644 --- a/ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json +++ b/ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--30403215-3aa6-47ab-8ae2-288fbcce4604", + "id": "bundle--4d9ed113-3474-4d05-bf77-cc55b1953ef9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2.json b/ics-attack/relationship/relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2.json new file mode 100644 index 0000000000..9fb2563d34 --- /dev/null +++ b/ics-attack/relationship/relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b657838b-8618-4dd7-a863-4a1a5c923fa0", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--cd54b7ba-c96c-49c8-90d2-15677efb8fe2", + "created": "2023-09-28T20:15:56.470Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:15:56.470Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035.json b/ics-attack/relationship/relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035.json index ddf8f426d8..f1fbd22814 100644 --- a/ics-attack/relationship/relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035.json +++ b/ics-attack/relationship/relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--adcc72cd-959a-4eb6-9e73-d60e8464c134", + "id": "bundle--6fc136e7-3351-4a9c-b17b-201059a028e6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986.json b/ics-attack/relationship/relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986.json new file mode 100644 index 0000000000..8a73ea5dc5 --- /dev/null +++ b/ics-attack/relationship/relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8d84f69c-8b53-40bb-976c-c6718826a646", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ce3aad7e-1e15-40c7-916b-e25a647e9986", + "created": "2023-09-29T16:31:36.462Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:31:36.462Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json b/ics-attack/relationship/relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json index d759ade53a..56d54d2227 100644 --- a/ics-attack/relationship/relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json +++ b/ics-attack/relationship/relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5668a248-f7ac-4b5c-b2e7-a5ecff9028eb", + "id": "bundle--4f97532a-9843-4bcb-9e4f-f43c3560122e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a.json b/ics-attack/relationship/relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a.json index e7c587433c..675a128ed3 100644 --- a/ics-attack/relationship/relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a.json +++ b/ics-attack/relationship/relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d3a80de0-c7cf-4140-85cc-003d935bb554", + "id": "bundle--2b98d895-3bf0-40e6-91a6-86d9cebec96b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a.json b/ics-attack/relationship/relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a.json index 362ed42418..baa5838dd0 100644 --- a/ics-attack/relationship/relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a.json +++ b/ics-attack/relationship/relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1c4a87ef-c525-4c90-a13d-c1a4456c1267", + "id": "bundle--089885db-ffdb-4c3b-97f6-6ecde1bbbe56", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9.json b/ics-attack/relationship/relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9.json index f84ba431a2..2ca7c6b98d 100644 --- a/ics-attack/relationship/relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9.json +++ b/ics-attack/relationship/relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6fb67b6f-efd5-4383-9e82-5b55bbda04c1", + "id": "bundle--4e0825f3-8897-4f59-9421-a3efa2c10c52", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d.json b/ics-attack/relationship/relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d.json new file mode 100644 index 0000000000..dbe9206abb --- /dev/null +++ b/ics-attack/relationship/relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--87158104-7647-4608-8180-3e8ec77a33f5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--cf53ff89-3c31-4f8d-83a1-b74dce4c558d", + "created": "2023-09-29T16:29:16.222Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:29:16.222Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614.json b/ics-attack/relationship/relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614.json index 81789c0373..418214e5b3 100644 --- a/ics-attack/relationship/relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614.json +++ b/ics-attack/relationship/relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c8ad14ba-9196-40bf-8266-d44393a8571a", + "id": "bundle--a7bd9db6-e5f1-4266-80af-b1f8ec7bf1b5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cf8a816c-30ee-4147-a48f-d797fb145a04.json b/ics-attack/relationship/relationship--cf8a816c-30ee-4147-a48f-d797fb145a04.json new file mode 100644 index 0000000000..87ccc2fbb4 --- /dev/null +++ b/ics-attack/relationship/relationship--cf8a816c-30ee-4147-a48f-d797fb145a04.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1deb185b-62a3-4d4a-a4fe-f36ccc2833cc", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--cf8a816c-30ee-4147-a48f-d797fb145a04", + "created": "2023-09-29T17:43:10.828Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:43:10.829Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b.json b/ics-attack/relationship/relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b.json index 87de83d937..37c41e325a 100644 --- a/ics-attack/relationship/relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b.json +++ b/ics-attack/relationship/relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--be78280d-8540-4762-8f8a-889014ac12da", + "id": "bundle--776af8c8-55ee-4ecd-8a83-29e181c2be71", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185.json b/ics-attack/relationship/relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185.json new file mode 100644 index 0000000000..fb3e636d3f --- /dev/null +++ b/ics-attack/relationship/relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--251ba012-feca-46d5-843b-52fea1c99169", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--cfaead3c-3db5-400f-bd15-dfbc57cf0185", + "created": "2023-09-28T21:15:44.547Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:15:44.547Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--cfcbca89-8912-40c0-ac15-47882162b132.json b/ics-attack/relationship/relationship--cfcbca89-8912-40c0-ac15-47882162b132.json index 53d8ca0688..d1c0593173 100644 --- a/ics-attack/relationship/relationship--cfcbca89-8912-40c0-ac15-47882162b132.json +++ b/ics-attack/relationship/relationship--cfcbca89-8912-40c0-ac15-47882162b132.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d77b37b1-0cf7-4b7a-85aa-3d55f3027ac7", + "id": "bundle--1f04d32b-d8e9-468e-bf4f-1d67b0e6e813", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab.json b/ics-attack/relationship/relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab.json new file mode 100644 index 0000000000..261025d60b --- /dev/null +++ b/ics-attack/relationship/relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3527d03e-0191-441d-bc98-f299528c87d4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d02812b2-23c3-4dce-bf94-c6e464e86fab", + "created": "2023-10-02T20:22:25.770Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:22:25.770Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d03de729-9235-4ceb-a1c0-935e2088020b.json b/ics-attack/relationship/relationship--d03de729-9235-4ceb-a1c0-935e2088020b.json new file mode 100644 index 0000000000..e24a03ce23 --- /dev/null +++ b/ics-attack/relationship/relationship--d03de729-9235-4ceb-a1c0-935e2088020b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ab8272da-3d1f-4cd7-9c26-0662c8434747", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d03de729-9235-4ceb-a1c0-935e2088020b", + "created": "2023-09-28T21:29:12.533Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:29:12.533Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d08fdedd-12f6-4681-9167-70d070432dee.json b/ics-attack/relationship/relationship--d08fdedd-12f6-4681-9167-70d070432dee.json index dbef81a82c..c1f32e4d47 100644 --- a/ics-attack/relationship/relationship--d08fdedd-12f6-4681-9167-70d070432dee.json +++ b/ics-attack/relationship/relationship--d08fdedd-12f6-4681-9167-70d070432dee.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--966e8b5e-516f-4b1f-bf8f-dbaaa455b9f3", + "id": "bundle--f7f24dd9-b07b-4247-b949-94e45caf5acc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d1388bba-9869-4e3e-a6c9-430784ad924d.json b/ics-attack/relationship/relationship--d1388bba-9869-4e3e-a6c9-430784ad924d.json new file mode 100644 index 0000000000..5d35e915e0 --- /dev/null +++ b/ics-attack/relationship/relationship--d1388bba-9869-4e3e-a6c9-430784ad924d.json @@ -0,0 +1,33 @@ +{ + "type": "bundle", + "id": "bundle--5166a76e-9e49-4ca6-a2d2-f70dc73504f7", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d1388bba-9869-4e3e-a6c9-430784ad924d", + "created": "2023-09-27T14:59:13.988Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.267Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), operators were shut out of their equipment either through the denial of peripheral use or the degradation of equipment. Operators were therefore unable to recover from the incident through their traditional means. Much of the power was restored manually. (Citation: Ukraine15 - EISAC - 201603)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json b/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json index 7175beae80..71c983b883 100644 --- a/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json +++ b/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bc965a57-5660-48fe-9b73-6db3cc45c261", + "id": "bundle--da9cd38e-44fd-4a2e-977d-a700bf1e1580", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d1971b32-3a15-4544-9f36-80c05121deb6.json b/ics-attack/relationship/relationship--d1971b32-3a15-4544-9f36-80c05121deb6.json index a728041d77..29724ccf0e 100644 --- a/ics-attack/relationship/relationship--d1971b32-3a15-4544-9f36-80c05121deb6.json +++ b/ics-attack/relationship/relationship--d1971b32-3a15-4544-9f36-80c05121deb6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e29c87e2-22d6-49f7-8bf3-84662cf9f7c3", + "id": "bundle--330fb2f2-2ee2-4d7a-9e43-ead08ce59e47", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d1a97502-b41d-40a8-aff5-13367fefc642.json b/ics-attack/relationship/relationship--d1a97502-b41d-40a8-aff5-13367fefc642.json new file mode 100644 index 0000000000..2b4bdbc526 --- /dev/null +++ b/ics-attack/relationship/relationship--d1a97502-b41d-40a8-aff5-13367fefc642.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--6000f2e8-0732-4856-99a7-2db12fc7476d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d1a97502-b41d-40a8-aff5-13367fefc642", + "created": "2023-09-28T21:21:45.003Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:21:45.003Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896.json b/ics-attack/relationship/relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896.json new file mode 100644 index 0000000000..e5143a4811 --- /dev/null +++ b/ics-attack/relationship/relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e391bb26-1c22-48f6-a282-63f9a5a6470f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d1bd77d4-9f1a-41ee-bf64-0aa7438e6896", + "created": "2023-09-29T16:28:52.111Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:28:52.111Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json b/ics-attack/relationship/relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json index e9d186d3c9..3f770d909f 100644 --- a/ics-attack/relationship/relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json +++ b/ics-attack/relationship/relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a2f38686-2249-4696-86f3-9204a0e117b0", + "id": "bundle--26949c05-49bf-4a25-9d9c-a236539121f5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d23fd724-563d-4f49-8bcd-09c653728cd3.json b/ics-attack/relationship/relationship--d23fd724-563d-4f49-8bcd-09c653728cd3.json new file mode 100644 index 0000000000..d26a32f69a --- /dev/null +++ b/ics-attack/relationship/relationship--d23fd724-563d-4f49-8bcd-09c653728cd3.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1554689d-966b-48a8-a0fb-be903279f0a2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d23fd724-563d-4f49-8bcd-09c653728cd3", + "created": "2023-09-28T21:28:00.462Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:28:00.462Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242.json b/ics-attack/relationship/relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242.json new file mode 100644 index 0000000000..3ffb4c4183 --- /dev/null +++ b/ics-attack/relationship/relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--461ae333-0f91-4ac3-8c87-1163f8668059", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d2985b8a-7a29-4b57-b2f1-cddd79fe4242", + "created": "2023-09-28T19:53:20.304Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:53:20.304Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d2a434c7-4428-435e-ae6b-e54012f29606.json b/ics-attack/relationship/relationship--d2a434c7-4428-435e-ae6b-e54012f29606.json new file mode 100644 index 0000000000..f12b97ac8e --- /dev/null +++ b/ics-attack/relationship/relationship--d2a434c7-4428-435e-ae6b-e54012f29606.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1797bbc9-6a2b-4937-ad92-ec483f83bbe3", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d2a434c7-4428-435e-ae6b-e54012f29606", + "created": "2023-09-25T20:43:52.987Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:43:52.987Z", + "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af.json b/ics-attack/relationship/relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af.json index 12514daf37..8311ee5b99 100644 --- a/ics-attack/relationship/relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af.json +++ b/ics-attack/relationship/relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a629d8da-af39-4bfe-b8df-957fe340b500", + "id": "bundle--76f7ad8b-7825-4005-9f28-69637305994d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json b/ics-attack/relationship/relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json index ee690cc4f9..3673d68384 100644 --- a/ics-attack/relationship/relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json +++ b/ics-attack/relationship/relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2010b10c-4bf6-403a-979a-8ec9650e0ab1", + "id": "bundle--baadb2fc-e069-435e-98fd-df9032e28d18", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999.json b/ics-attack/relationship/relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999.json new file mode 100644 index 0000000000..d169d0af70 --- /dev/null +++ b/ics-attack/relationship/relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4c22005e-2744-4e74-b24f-c58bed0d259c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d3266f04-3453-492d-b9ea-6fb9d0ce3999", + "created": "2023-09-29T18:49:54.378Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:49:54.378Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72.json b/ics-attack/relationship/relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72.json new file mode 100644 index 0000000000..1c363c8952 --- /dev/null +++ b/ics-attack/relationship/relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3101f87b-0598-4855-af07-4ae35c9a8655", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d3564f1f-8637-4878-a66a-3e8ea46f7a72", + "created": "2023-09-28T19:38:27.199Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:38:27.199Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json b/ics-attack/relationship/relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json index 893761b568..789a8b4798 100644 --- a/ics-attack/relationship/relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json +++ b/ics-attack/relationship/relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--545348ed-3c53-4dba-8df6-d92dd9b4a1f1", + "id": "bundle--974681fb-d63b-4bfc-8f93-7b2ec1a762b2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d3d4f469-9847-41ef-a478-5eaf6003d483.json b/ics-attack/relationship/relationship--d3d4f469-9847-41ef-a478-5eaf6003d483.json new file mode 100644 index 0000000000..69146903d8 --- /dev/null +++ b/ics-attack/relationship/relationship--d3d4f469-9847-41ef-a478-5eaf6003d483.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8bf023c2-147f-4b0b-8300-deae8c157f29", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d3d4f469-9847-41ef-a478-5eaf6003d483", + "created": "2023-10-02T20:23:00.405Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:23:00.405Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c.json b/ics-attack/relationship/relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c.json index 294ee772c7..f3ad15fad1 100644 --- a/ics-attack/relationship/relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c.json +++ b/ics-attack/relationship/relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c576001c-cd8f-43ee-a192-37962167bc4a", + "id": "bundle--73b4e927-fd66-4c9a-9e2a-eb7e484ecafc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d455330d-f190-4854-8087-4c2c37003b45.json b/ics-attack/relationship/relationship--d455330d-f190-4854-8087-4c2c37003b45.json new file mode 100644 index 0000000000..58072abf9d --- /dev/null +++ b/ics-attack/relationship/relationship--d455330d-f190-4854-8087-4c2c37003b45.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--33276dff-34cf-40e8-8b9f-f2bb3caa474c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d455330d-f190-4854-8087-4c2c37003b45", + "created": "2023-09-29T17:39:29.897Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:39:29.897Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d48894cb-457e-4a81-82b4-2d735aea5128.json b/ics-attack/relationship/relationship--d48894cb-457e-4a81-82b4-2d735aea5128.json new file mode 100644 index 0000000000..06224a010f --- /dev/null +++ b/ics-attack/relationship/relationship--d48894cb-457e-4a81-82b4-2d735aea5128.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ce493a75-4021-4954-bdfa-c823e22a91de", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d48894cb-457e-4a81-82b4-2d735aea5128", + "created": "2023-09-28T19:50:56.496Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:50:56.496Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d4968f45-d06b-4843-8f72-6e08beb94cab.json b/ics-attack/relationship/relationship--d4968f45-d06b-4843-8f72-6e08beb94cab.json index 357111096f..f885e17861 100644 --- a/ics-attack/relationship/relationship--d4968f45-d06b-4843-8f72-6e08beb94cab.json +++ b/ics-attack/relationship/relationship--d4968f45-d06b-4843-8f72-6e08beb94cab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d30953c3-f404-4171-8051-16b576eca66c", + "id": "bundle--dcb03be5-eb7e-412f-ad39-21dc566b1203", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json b/ics-attack/relationship/relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json index 490c00d0f1..96d75d6913 100644 --- a/ics-attack/relationship/relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json +++ b/ics-attack/relationship/relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0cc6e0a8-6269-4e91-982c-531a52984eb2", + "id": "bundle--07a8ed2e-623d-4de5-af8a-c409790b523f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d58d8b19-90bc-4a7f-840d-076be296ff20.json b/ics-attack/relationship/relationship--d58d8b19-90bc-4a7f-840d-076be296ff20.json new file mode 100644 index 0000000000..511b2c1688 --- /dev/null +++ b/ics-attack/relationship/relationship--d58d8b19-90bc-4a7f-840d-076be296ff20.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d7738770-4b2c-4383-a790-e718fa7582c1", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d58d8b19-90bc-4a7f-840d-076be296ff20", + "created": "2023-09-29T17:09:01.803Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:09:01.803Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a.json b/ics-attack/relationship/relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a.json new file mode 100644 index 0000000000..4d446e5fe5 --- /dev/null +++ b/ics-attack/relationship/relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--7439a985-e8cd-4a62-b086-84b59ab9dc8c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d5b532fe-3df9-4f92-a0f0-9c92823cdb6a", + "created": "2023-09-28T19:43:49.584Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:43:49.584Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d.json b/ics-attack/relationship/relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d.json new file mode 100644 index 0000000000..33c2f6e4c6 --- /dev/null +++ b/ics-attack/relationship/relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--0f3d1812-fe69-4899-817c-a725025f573b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d5e908f9-eea1-4e55-a406-f24c5dc74b2d", + "created": "2023-09-29T17:38:17.313Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:38:17.313Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0.json b/ics-attack/relationship/relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0.json new file mode 100644 index 0000000000..f0c310735d --- /dev/null +++ b/ics-attack/relationship/relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--0fcdc6dc-7df8-4c8c-a45a-ec6ef5b1888d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d611b750-95e5-4f73-8f16-38db0a34a2e0", + "created": "2023-09-29T17:08:23.682Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:08:23.682Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d648b3c7-77d2-42f3-a367-620621b714ab.json b/ics-attack/relationship/relationship--d648b3c7-77d2-42f3-a367-620621b714ab.json new file mode 100644 index 0000000000..dc56b780d2 --- /dev/null +++ b/ics-attack/relationship/relationship--d648b3c7-77d2-42f3-a367-620621b714ab.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--34d7cee1-c2e1-4e75-9a0a-f0f4560599ac", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d648b3c7-77d2-42f3-a367-620621b714ab", + "created": "2023-09-28T21:11:29.314Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:11:29.314Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json b/ics-attack/relationship/relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json index 31afff66db..4bfdb2cd8d 100644 --- a/ics-attack/relationship/relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json +++ b/ics-attack/relationship/relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b14c37d1-1fd0-4cfb-9606-38878262d818", + "id": "bundle--d9aae060-ba48-4d91-aa7c-ab1996b8935a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab.json b/ics-attack/relationship/relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab.json index b61587d6ec..a45f9d1d3a 100644 --- a/ics-attack/relationship/relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab.json +++ b/ics-attack/relationship/relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--459c5e48-3de5-4057-aa18-40c0c0f2519f", + "id": "bundle--11c19836-bcb0-4615-b894-06d6097ee2f5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d72e7d01-56be-4fbd-8957-3384533ba83b.json b/ics-attack/relationship/relationship--d72e7d01-56be-4fbd-8957-3384533ba83b.json index e84b965ccd..11fa20e3ea 100644 --- a/ics-attack/relationship/relationship--d72e7d01-56be-4fbd-8957-3384533ba83b.json +++ b/ics-attack/relationship/relationship--d72e7d01-56be-4fbd-8957-3384533ba83b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d9bc5047-3b20-4c32-a505-ee4feba8b92d", + "id": "bundle--660ec1b2-6fc6-4322-8aad-c0a8e09eaaf6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de.json b/ics-attack/relationship/relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de.json new file mode 100644 index 0000000000..04c9cad491 --- /dev/null +++ b/ics-attack/relationship/relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--127ea53f-3287-48a2-98ff-c3b5856479d5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d775a6ed-4a60-41f4-ac06-da86c27cd1de", + "created": "2023-09-29T18:48:41.176Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:48:41.176Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5.json b/ics-attack/relationship/relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5.json new file mode 100644 index 0000000000..aceefcd53f --- /dev/null +++ b/ics-attack/relationship/relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a2055f20-0ae7-4d6b-9c35-a11fa8f28baa", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d7b07d40-fbdb-41e9-b610-57de10fa41e5", + "created": "2023-09-28T20:29:50.745Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:29:50.745Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d7ea83fa-87c7-4d36-96d5-aee554504040.json b/ics-attack/relationship/relationship--d7ea83fa-87c7-4d36-96d5-aee554504040.json index c4af412167..b3e34bddc9 100644 --- a/ics-attack/relationship/relationship--d7ea83fa-87c7-4d36-96d5-aee554504040.json +++ b/ics-attack/relationship/relationship--d7ea83fa-87c7-4d36-96d5-aee554504040.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bc4526cd-d6ea-4a24-8163-4f0325e4ecbe", + "id": "bundle--9a1598d9-4a9d-4293-8ba6-58676cc166bd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18.json b/ics-attack/relationship/relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18.json new file mode 100644 index 0000000000..b64948e5ca --- /dev/null +++ b/ics-attack/relationship/relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--044180da-af8d-4d17-807b-70d18d33de98", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d80f9deb-ba2a-4a07-aa23-81c423cf4a18", + "created": "2023-09-29T16:46:01.992Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:46:01.992Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f.json b/ics-attack/relationship/relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f.json index 232f6c0d9a..1c531fbfd9 100644 --- a/ics-attack/relationship/relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f.json +++ b/ics-attack/relationship/relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cfd744a6-766f-42fb-98de-e9f6d0f04b03", + "id": "bundle--dc0f9b0b-c9df-48e7-8c8e-752718871ca6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d854cc38-adf7-485d-96b5-70606f6cb87e.json b/ics-attack/relationship/relationship--d854cc38-adf7-485d-96b5-70606f6cb87e.json index bf9d6b3ec0..354d3499f1 100644 --- a/ics-attack/relationship/relationship--d854cc38-adf7-485d-96b5-70606f6cb87e.json +++ b/ics-attack/relationship/relationship--d854cc38-adf7-485d-96b5-70606f6cb87e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4abbf75a-8042-4016-a819-1b53de277c40", + "id": "bundle--21f4b6c8-ba7d-43c1-9517-6dd56daf3f40", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d8911566-f622-4a01-b765-514dbbfd8201.json b/ics-attack/relationship/relationship--d8911566-f622-4a01-b765-514dbbfd8201.json index b02c6077cb..e0e0530396 100644 --- a/ics-attack/relationship/relationship--d8911566-f622-4a01-b765-514dbbfd8201.json +++ b/ics-attack/relationship/relationship--d8911566-f622-4a01-b765-514dbbfd8201.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f6e041da-e2d2-4bbd-be60-108baef36e81", + "id": "bundle--b7b14619-1c02-4a4b-9376-7a1d97d55233", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa.json b/ics-attack/relationship/relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa.json new file mode 100644 index 0000000000..298fa4a066 --- /dev/null +++ b/ics-attack/relationship/relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4ce538b1-0760-495e-a5a9-02adc750a161", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d89d9778-4695-4c97-bf6d-1d0fbabb41fa", + "created": "2023-09-28T21:14:51.778Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:14:51.778Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d8f45959-e0fc-4b4f-a074-a3acea926300.json b/ics-attack/relationship/relationship--d8f45959-e0fc-4b4f-a074-a3acea926300.json index e4e09c70eb..dd5733d5fd 100644 --- a/ics-attack/relationship/relationship--d8f45959-e0fc-4b4f-a074-a3acea926300.json +++ b/ics-attack/relationship/relationship--d8f45959-e0fc-4b4f-a074-a3acea926300.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--848e048b-c953-4593-8a98-a66086340652", + "id": "bundle--f2d1434b-18f6-4469-9588-21a2d1e5b541", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d8f95008-33c9-4572-9916-023d8de449b1.json b/ics-attack/relationship/relationship--d8f95008-33c9-4572-9916-023d8de449b1.json new file mode 100644 index 0000000000..effaa6fe3a --- /dev/null +++ b/ics-attack/relationship/relationship--d8f95008-33c9-4572-9916-023d8de449b1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--31f7b05b-9ded-4fe8-8a2c-f2fde4891e72", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d8f95008-33c9-4572-9916-023d8de449b1", + "created": "2023-09-29T18:04:16.785Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:04:16.785Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50.json b/ics-attack/relationship/relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50.json index 2544344d2d..629f9c3c1b 100644 --- a/ics-attack/relationship/relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50.json +++ b/ics-attack/relationship/relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c9834dcb-3b56-4952-9e9f-62c1006fd0b6", + "id": "bundle--bf88feb5-94de-4b86-bf92-63dca0e7a77c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d90b1271-a90d-41c7-9df7-bec47880c82e.json b/ics-attack/relationship/relationship--d90b1271-a90d-41c7-9df7-bec47880c82e.json index 0f5ccfaf72..e0f7b15817 100644 --- a/ics-attack/relationship/relationship--d90b1271-a90d-41c7-9df7-bec47880c82e.json +++ b/ics-attack/relationship/relationship--d90b1271-a90d-41c7-9df7-bec47880c82e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0de80a9a-6aae-4237-950e-442a86866f27", + "id": "bundle--e0f84c18-8c65-4bc2-9b12-2207e0f5cb1b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json b/ics-attack/relationship/relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json index 2d7eaa8278..85ebc05826 100644 --- a/ics-attack/relationship/relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json +++ b/ics-attack/relationship/relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--43952feb-c9f4-46bd-8cec-3771863c35b6", + "id": "bundle--9e868135-207b-4d2f-87dd-ad32f8d09450", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d96788b4-55dd-48df-bb9b-83b33ca24813.json b/ics-attack/relationship/relationship--d96788b4-55dd-48df-bb9b-83b33ca24813.json new file mode 100644 index 0000000000..b1e04c8bfe --- /dev/null +++ b/ics-attack/relationship/relationship--d96788b4-55dd-48df-bb9b-83b33ca24813.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--39361ecf-f36c-4615-8cec-9a08db173622", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d96788b4-55dd-48df-bb9b-83b33ca24813", + "created": "2023-09-28T19:55:22.376Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:55:22.376Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d9de58a6-58fd-499c-ba7d-588239297179.json b/ics-attack/relationship/relationship--d9de58a6-58fd-499c-ba7d-588239297179.json new file mode 100644 index 0000000000..de1f3fd95d --- /dev/null +++ b/ics-attack/relationship/relationship--d9de58a6-58fd-499c-ba7d-588239297179.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--70d2b2a3-acbf-4e8a-966d-0b039a54bb80", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d9de58a6-58fd-499c-ba7d-588239297179", + "created": "2023-09-29T16:42:31.464Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:42:31.464Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5.json b/ics-attack/relationship/relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5.json new file mode 100644 index 0000000000..6b590a86b8 --- /dev/null +++ b/ics-attack/relationship/relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--2b8df9d6-28c9-48f5-be4b-1e2d143f4502", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--d9fa7d68-a07c-4cf0-bb01-14e2c70c21d5", + "created": "2023-09-28T19:51:11.687Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:51:11.687Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a.json b/ics-attack/relationship/relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a.json new file mode 100644 index 0000000000..e2f79880a7 --- /dev/null +++ b/ics-attack/relationship/relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1b5a1262-6906-4b6b-aff2-c64e24ab5550", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--da144dd2-c949-4a7f-8c8d-0cb27c52196a", + "created": "2023-09-29T16:42:53.226Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:42:53.226Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0.json b/ics-attack/relationship/relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0.json new file mode 100644 index 0000000000..63804d16ad --- /dev/null +++ b/ics-attack/relationship/relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8d18cf5f-ad08-4da9-a6c6-3ebb9e17cc82", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--da771d72-c778-4c9a-acb4-01b5fc3d36c0", + "created": "2023-09-29T18:06:57.332Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:06:57.332Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--da987131-bf37-4730-9914-323879d2b5c3.json b/ics-attack/relationship/relationship--da987131-bf37-4730-9914-323879d2b5c3.json new file mode 100644 index 0000000000..b6d0d214c7 --- /dev/null +++ b/ics-attack/relationship/relationship--da987131-bf37-4730-9914-323879d2b5c3.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c4d7efe4-13ed-4cd8-aa68-837e92c26858", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--da987131-bf37-4730-9914-323879d2b5c3", + "created": "2023-09-28T20:34:11.025Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:34:11.025Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8.json b/ics-attack/relationship/relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8.json new file mode 100644 index 0000000000..b850ac599f --- /dev/null +++ b/ics-attack/relationship/relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--376fe443-83e2-4177-9cfe-67ac4a70ce24", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--dac96d76-b9b8-4278-9f5b-62f4992e2ac8", + "created": "2023-09-28T19:44:22.801Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:44:22.801Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--dadfed22-d70c-482b-9026-964396d75484.json b/ics-attack/relationship/relationship--dadfed22-d70c-482b-9026-964396d75484.json index 71abd1c196..2e6a8c89b1 100644 --- a/ics-attack/relationship/relationship--dadfed22-d70c-482b-9026-964396d75484.json +++ b/ics-attack/relationship/relationship--dadfed22-d70c-482b-9026-964396d75484.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0d778367-fc09-4e45-8ba8-7f9a2ec78492", + "id": "bundle--f00a33ba-e7b7-43c7-b034-45b7d7810c06", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--db46e84f-435e-4022-b484-e6d2e253660c.json b/ics-attack/relationship/relationship--db46e84f-435e-4022-b484-e6d2e253660c.json new file mode 100644 index 0000000000..db0d6e37c3 --- /dev/null +++ b/ics-attack/relationship/relationship--db46e84f-435e-4022-b484-e6d2e253660c.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--88fadefd-1094-49db-8223-1509386ba8ac", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--db46e84f-435e-4022-b484-e6d2e253660c", + "created": "2023-09-29T18:06:13.468Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:06:13.468Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a.json b/ics-attack/relationship/relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a.json index dd03786598..48958885da 100644 --- a/ics-attack/relationship/relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a.json +++ b/ics-attack/relationship/relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--da597e23-9579-43b2-bf11-cde5a2da864e", + "id": "bundle--b4707b39-92cf-4ed6-9fe2-6e38b041c0fa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dbcc492c-782e-4418-8373-dbc7a76498b0.json b/ics-attack/relationship/relationship--dbcc492c-782e-4418-8373-dbc7a76498b0.json new file mode 100644 index 0000000000..243674c46a --- /dev/null +++ b/ics-attack/relationship/relationship--dbcc492c-782e-4418-8373-dbc7a76498b0.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--0d42722e-6c87-4952-a2af-fff3f90b0ca2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--dbcc492c-782e-4418-8373-dbc7a76498b0", + "created": "2023-09-29T17:45:35.293Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:45:35.293Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json b/ics-attack/relationship/relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json index b8bfda9fa9..79741facd0 100644 --- a/ics-attack/relationship/relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json +++ b/ics-attack/relationship/relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bb1ca85a-bc07-4147-9e3e-48cf9725031d", + "id": "bundle--a4762523-e26b-4239-916d-4ebd74cfcda6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dc15440d-6683-435a-8c87-64daea29bcaa.json b/ics-attack/relationship/relationship--dc15440d-6683-435a-8c87-64daea29bcaa.json deleted file mode 100644 index 81ddce9a14..0000000000 --- a/ics-attack/relationship/relationship--dc15440d-6683-435a-8c87-64daea29bcaa.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--4ff2154e-8a34-4ec8-b4d4-7b71b12cb641", - "spec_version": "2.0", - "objects": [ - { - "type": "relationship", - "id": "relationship--dc15440d-6683-435a-8c87-64daea29bcaa", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:01:03.550Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked command messages by using malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - } - ] -} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--dc35c44a-a90c-48a1-8811-af2618216e42.json b/ics-attack/relationship/relationship--dc35c44a-a90c-48a1-8811-af2618216e42.json index 7189497b5c..e52dddc366 100644 --- a/ics-attack/relationship/relationship--dc35c44a-a90c-48a1-8811-af2618216e42.json +++ b/ics-attack/relationship/relationship--dc35c44a-a90c-48a1-8811-af2618216e42.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2c9f0112-aef0-4a23-abcb-86a95680009f", + "id": "bundle--b426dd59-7db2-46c4-a2b5-7902ff4a9bfe", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f.json b/ics-attack/relationship/relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f.json index 8fb12c0d05..a15dcae3d0 100644 --- a/ics-attack/relationship/relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f.json +++ b/ics-attack/relationship/relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7b6281ae-16c8-45c2-b0c9-fe85b3a34063", + "id": "bundle--e873ac43-af87-4f8f-b60a-38be69bfbfec", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f.json b/ics-attack/relationship/relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f.json new file mode 100644 index 0000000000..5cac3ae72a --- /dev/null +++ b/ics-attack/relationship/relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--bd3037da-343f-4113-adb1-25391bde6ed6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--dd9abe36-1cee-4100-a94f-105d9678fd1f", + "created": "2023-09-29T18:06:35.470Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:06:35.470Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--dda29418-9570-405a-b7db-97e951e5aa53.json b/ics-attack/relationship/relationship--dda29418-9570-405a-b7db-97e951e5aa53.json index 61866eef0f..bec6493ee6 100644 --- a/ics-attack/relationship/relationship--dda29418-9570-405a-b7db-97e951e5aa53.json +++ b/ics-attack/relationship/relationship--dda29418-9570-405a-b7db-97e951e5aa53.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6c4716c5-5a7c-4827-ab31-901583e825f1", + "id": "bundle--d3ddefe8-20bb-467a-9447-08882f29b3f7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dda89758-9d0b-446d-b594-85acc7f9cb90.json b/ics-attack/relationship/relationship--dda89758-9d0b-446d-b594-85acc7f9cb90.json index 194baa335b..9c96f9a71b 100644 --- a/ics-attack/relationship/relationship--dda89758-9d0b-446d-b594-85acc7f9cb90.json +++ b/ics-attack/relationship/relationship--dda89758-9d0b-446d-b594-85acc7f9cb90.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fef518b4-4dae-45db-9270-593cbebd5c5f", + "id": "bundle--5c592cdd-5a29-4308-a05a-8e8e5bef7c94", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dded2d68-35c7-42c4-af10-efe7731673e3.json b/ics-attack/relationship/relationship--dded2d68-35c7-42c4-af10-efe7731673e3.json index e06daceb30..6cb73dfe68 100644 --- a/ics-attack/relationship/relationship--dded2d68-35c7-42c4-af10-efe7731673e3.json +++ b/ics-attack/relationship/relationship--dded2d68-35c7-42c4-af10-efe7731673e3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--542145cb-ff5d-4655-ad51-e2e2cdf53270", + "id": "bundle--6bb11b3b-4999-4257-bd11-adf80329c5c9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--de8b8a69-5f08-421a-96f0-2bed5707508d.json b/ics-attack/relationship/relationship--de8b8a69-5f08-421a-96f0-2bed5707508d.json index 722d8ad32c..1b417dac4b 100644 --- a/ics-attack/relationship/relationship--de8b8a69-5f08-421a-96f0-2bed5707508d.json +++ b/ics-attack/relationship/relationship--de8b8a69-5f08-421a-96f0-2bed5707508d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--27c4572e-f831-47ca-b56a-31a00a857c5e", + "id": "bundle--f25723c6-69bc-4398-9b23-186723ad7ac6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dead5325-7efe-4dcc-bf78-42b9190f74da.json b/ics-attack/relationship/relationship--dead5325-7efe-4dcc-bf78-42b9190f74da.json new file mode 100644 index 0000000000..bf3f4ee711 --- /dev/null +++ b/ics-attack/relationship/relationship--dead5325-7efe-4dcc-bf78-42b9190f74da.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--dc8f856a-a396-4928-822d-8b234b14c559", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--dead5325-7efe-4dcc-bf78-42b9190f74da", + "created": "2023-09-29T16:46:40.272Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:46:40.272Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--def57041-6bb4-453a-bf04-188b9e97a35d.json b/ics-attack/relationship/relationship--def57041-6bb4-453a-bf04-188b9e97a35d.json new file mode 100644 index 0000000000..6bf4f40ad9 --- /dev/null +++ b/ics-attack/relationship/relationship--def57041-6bb4-453a-bf04-188b9e97a35d.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--93e4c2e8-d985-49f4-8388-3b7a4a547a0c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--def57041-6bb4-453a-bf04-188b9e97a35d", + "created": "2023-09-28T21:26:34.603Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:26:34.603Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--df321d74-25d6-42da-80e8-3c9a291cb471.json b/ics-attack/relationship/relationship--df321d74-25d6-42da-80e8-3c9a291cb471.json new file mode 100644 index 0000000000..12d0dc0d27 --- /dev/null +++ b/ics-attack/relationship/relationship--df321d74-25d6-42da-80e8-3c9a291cb471.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--96643ead-1d12-4ec2-bf68-2abde96226aa", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--df321d74-25d6-42da-80e8-3c9a291cb471", + "created": "2023-09-28T19:57:41.602Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:57:41.602Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json b/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json index 78790de35d..4bf4531628 100644 --- a/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json +++ b/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cfb3b5b2-3ee6-443f-9965-18b5c4b23d93", + "id": "bundle--af02e76f-c4aa-49dc-910d-5c80a0293d0c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--df7b521e-4496-432f-a61d-3094d0c7bc23.json b/ics-attack/relationship/relationship--df7b521e-4496-432f-a61d-3094d0c7bc23.json new file mode 100644 index 0000000000..149502fd2e --- /dev/null +++ b/ics-attack/relationship/relationship--df7b521e-4496-432f-a61d-3094d0c7bc23.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--6f11f9a6-b4ce-4ce8-bfc3-e119e1601533", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--df7b521e-4496-432f-a61d-3094d0c7bc23", + "created": "2023-09-29T17:58:26.994Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:58:26.994Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--df80e2b6-5672-4f26-a19c-a394f3731f24.json b/ics-attack/relationship/relationship--df80e2b6-5672-4f26-a19c-a394f3731f24.json new file mode 100644 index 0000000000..3bbe2f7631 --- /dev/null +++ b/ics-attack/relationship/relationship--df80e2b6-5672-4f26-a19c-a394f3731f24.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--96abfd10-51c5-4eae-8d22-dccc0597067f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--df80e2b6-5672-4f26-a19c-a394f3731f24", + "created": "2023-09-28T19:48:48.649Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:48:48.649Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--df95c619-33ee-4484-934a-78857717323e.json b/ics-attack/relationship/relationship--df95c619-33ee-4484-934a-78857717323e.json index d8df9b8807..9c2398ec99 100644 --- a/ics-attack/relationship/relationship--df95c619-33ee-4484-934a-78857717323e.json +++ b/ics-attack/relationship/relationship--df95c619-33ee-4484-934a-78857717323e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c45a4654-b7aa-44c8-a35e-57774794835b", + "id": "bundle--895ed42d-8f35-4543-8804-2c8bcb40dd0e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da.json b/ics-attack/relationship/relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da.json new file mode 100644 index 0000000000..f108470d84 --- /dev/null +++ b/ics-attack/relationship/relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e90cff5b-4fef-4a57-a8bc-b0e2e8fec530", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--df9f5a5b-0662-4904-8e57-bc25c244a6da", + "created": "2023-09-28T20:11:11.658Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:11:11.658Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--dfb20521-91c2-4f55-b92a-dab959759b78.json b/ics-attack/relationship/relationship--dfb20521-91c2-4f55-b92a-dab959759b78.json new file mode 100644 index 0000000000..d0ef50cd00 --- /dev/null +++ b/ics-attack/relationship/relationship--dfb20521-91c2-4f55-b92a-dab959759b78.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--506b2258-c872-43ab-aa34-6ed6d7fdb2aa", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--dfb20521-91c2-4f55-b92a-dab959759b78", + "created": "2023-09-29T18:03:38.874Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:03:38.874Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json b/ics-attack/relationship/relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json index 811dac2980..49116affdb 100644 --- a/ics-attack/relationship/relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json +++ b/ics-attack/relationship/relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--64d435d3-8b6c-43d4-8ef4-a424d93344ab", + "id": "bundle--050874c3-b9bc-4b19-ac18-5c246bf68372", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb.json b/ics-attack/relationship/relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb.json index 0535b78bd8..45746d316d 100644 --- a/ics-attack/relationship/relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb.json +++ b/ics-attack/relationship/relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--895c1923-5a83-4fb5-9940-6e189b9d9ddb", + "id": "bundle--008b69e7-58ef-41c3-9b33-9bae9ff7c267", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4.json b/ics-attack/relationship/relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4.json index 9b24d2b3fa..464e5ca72b 100644 --- a/ics-attack/relationship/relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4.json +++ b/ics-attack/relationship/relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d34ffadc-2459-4492-8ece-57bb59c91bdc", + "id": "bundle--12d41ca9-5abf-4488-b7f6-ecf08306ecc9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8.json b/ics-attack/relationship/relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8.json index 881abb7dee..22d3ca8510 100644 --- a/ics-attack/relationship/relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8.json +++ b/ics-attack/relationship/relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--13a9c671-aa77-436c-bed8-ae25cfaf9bd1", + "id": "bundle--07543337-0eb6-4672-9e26-c951132a3fa3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca.json b/ics-attack/relationship/relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca.json index 5df53c220b..718ddad289 100644 --- a/ics-attack/relationship/relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca.json +++ b/ics-attack/relationship/relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4d436e99-e969-4474-bd42-9c19cd50368a", + "id": "bundle--3d6fcbdd-3efe-41e7-a52d-e64e77646c8b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e0aee02c-b424-4781-be10-793d71594c31.json b/ics-attack/relationship/relationship--e0aee02c-b424-4781-be10-793d71594c31.json index 9fce054cbf..dd1d90d3e0 100644 --- a/ics-attack/relationship/relationship--e0aee02c-b424-4781-be10-793d71594c31.json +++ b/ics-attack/relationship/relationship--e0aee02c-b424-4781-be10-793d71594c31.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6e016c95-ce1c-4576-9c13-d31af1dfe615", + "id": "bundle--c90f25d8-4f2e-457f-a193-2de52499be9c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a.json b/ics-attack/relationship/relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a.json index 9323efe3b1..43318db036 100644 --- a/ics-attack/relationship/relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a.json +++ b/ics-attack/relationship/relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ab0bbb28-decc-4eef-92ba-48e8526249e2", + "id": "bundle--6b856f35-df34-4cc4-a761-f6b41d08873d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb.json b/ics-attack/relationship/relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb.json index 8bf089e45c..5643cea0f0 100644 --- a/ics-attack/relationship/relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb.json +++ b/ics-attack/relationship/relationship--e0da1f92-82b1-4096-86c4-1aef58ca89fb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--04078e51-2a45-46bf-af35-c6f25c86a922", + "id": "bundle--6d21641d-22d9-45e9-891f-6f45b26e145b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e.json b/ics-attack/relationship/relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e.json new file mode 100644 index 0000000000..5287ae9639 --- /dev/null +++ b/ics-attack/relationship/relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a0b9b158-28c4-4794-92cd-3cb711bfe552", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e1269074-37f4-460b-8a2a-cd26892d4f8e", + "created": "2023-09-28T19:42:54.009Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:42:54.009Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065.json b/ics-attack/relationship/relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065.json index 27b0dc5b79..b2ee74fde2 100644 --- a/ics-attack/relationship/relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065.json +++ b/ics-attack/relationship/relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c6949dc9-04e0-48f7-b88b-02146e09d3ad", + "id": "bundle--2a6667ea-3170-453b-8247-fd7549736878", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14.json b/ics-attack/relationship/relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14.json index 0eff022acf..96fa7838d4 100644 --- a/ics-attack/relationship/relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14.json +++ b/ics-attack/relationship/relationship--e156609f-c30b-4bf5-8a1b-9689ba778a14.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a6af48a7-619d-4ce4-8ac3-82e248f8e6be", + "id": "bundle--d625eec7-cacc-4526-9a09-a3bf032fb0ab", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74.json b/ics-attack/relationship/relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74.json new file mode 100644 index 0000000000..e3ceb44d5f --- /dev/null +++ b/ics-attack/relationship/relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--434ee828-e1d8-4ffb-8dcf-381e68a96d61", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e17c3b74-69d8-47b2-88d4-adcaf418ab74", + "created": "2023-09-29T17:08:48.251Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:08:48.251Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e18af08c-3953-4b1d-b46c-45572fdb5187.json b/ics-attack/relationship/relationship--e18af08c-3953-4b1d-b46c-45572fdb5187.json index 0b5215abaa..f1c74af0fe 100644 --- a/ics-attack/relationship/relationship--e18af08c-3953-4b1d-b46c-45572fdb5187.json +++ b/ics-attack/relationship/relationship--e18af08c-3953-4b1d-b46c-45572fdb5187.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--df8a885c-d5ec-4a00-911c-35014f29b2f3", + "id": "bundle--ffa78676-1a9e-4f1d-977a-cbc4b00e4d79", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4.json b/ics-attack/relationship/relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4.json new file mode 100644 index 0000000000..e64bee2055 --- /dev/null +++ b/ics-attack/relationship/relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4f4d089f-a512-4d93-893d-8e10887945b2", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e1f28ed0-ec35-4792-ae02-a2d003bd3df4", + "created": "2023-09-28T20:09:07.381Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:09:07.381Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e257913e-40ba-4a05-ba97-0c3175c966b5.json b/ics-attack/relationship/relationship--e257913e-40ba-4a05-ba97-0c3175c966b5.json index 4ab5afe30a..6581d2569e 100644 --- a/ics-attack/relationship/relationship--e257913e-40ba-4a05-ba97-0c3175c966b5.json +++ b/ics-attack/relationship/relationship--e257913e-40ba-4a05-ba97-0c3175c966b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--23debf59-e0cc-469b-b922-4c1cc8be1ea0", + "id": "bundle--ebf70c6d-99ea-4bef-9cde-eacd3f899b3e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e323dee4-a896-4a82-85f5-d51d311b0437.json b/ics-attack/relationship/relationship--e323dee4-a896-4a82-85f5-d51d311b0437.json index e9c0ea9b6a..01a8b057cb 100644 --- a/ics-attack/relationship/relationship--e323dee4-a896-4a82-85f5-d51d311b0437.json +++ b/ics-attack/relationship/relationship--e323dee4-a896-4a82-85f5-d51d311b0437.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--53b4884d-1884-42b3-acb2-1cf85aed66fa", + "id": "bundle--3f8d5436-52d3-4e68-a4ac-af4dffcfb068", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00.json b/ics-attack/relationship/relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00.json index 27ef892952..82abbb4cdb 100644 --- a/ics-attack/relationship/relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00.json +++ b/ics-attack/relationship/relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--440b39e4-5baf-4877-a3d7-e8f02ab5ef73", + "id": "bundle--c57f2cfb-e813-4e26-b37b-d35d0c98aaf2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e3b04152-0c90-41ff-a333-c5163fa9714f.json b/ics-attack/relationship/relationship--e3b04152-0c90-41ff-a333-c5163fa9714f.json new file mode 100644 index 0000000000..52fbebc13b --- /dev/null +++ b/ics-attack/relationship/relationship--e3b04152-0c90-41ff-a333-c5163fa9714f.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--fb780ecf-34f4-4353-880d-c04d516ec640", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e3b04152-0c90-41ff-a333-c5163fa9714f", + "created": "2023-09-29T17:41:22.619Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:41:22.619Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e434db5d-f201-4411-825f-4a50e1e78c75.json b/ics-attack/relationship/relationship--e434db5d-f201-4411-825f-4a50e1e78c75.json new file mode 100644 index 0000000000..377091b87a --- /dev/null +++ b/ics-attack/relationship/relationship--e434db5d-f201-4411-825f-4a50e1e78c75.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ce2a4107-e21b-4189-8f61-e909a78b6295", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e434db5d-f201-4411-825f-4a50e1e78c75", + "created": "2023-09-29T17:06:20.834Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:06:20.834Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc.json b/ics-attack/relationship/relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc.json new file mode 100644 index 0000000000..e7945b2810 --- /dev/null +++ b/ics-attack/relationship/relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--0f733424-6958-4d26-b9e9-1b17138cc822", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e49e0138-4247-4f3e-a42c-f0dab2f6ffbc", + "created": "2023-09-29T18:49:44.351Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:49:44.351Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e4a11381-8608-4c71-966f-df0cbb834fe0.json b/ics-attack/relationship/relationship--e4a11381-8608-4c71-966f-df0cbb834fe0.json index 326d8f9871..f76ee09847 100644 --- a/ics-attack/relationship/relationship--e4a11381-8608-4c71-966f-df0cbb834fe0.json +++ b/ics-attack/relationship/relationship--e4a11381-8608-4c71-966f-df0cbb834fe0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8599c122-91e6-4e18-b99f-297069ee7864", + "id": "bundle--6231b5b1-75e7-4d3b-b7a7-4f4e7d04d1be", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972.json b/ics-attack/relationship/relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972.json new file mode 100644 index 0000000000..cb60d75901 --- /dev/null +++ b/ics-attack/relationship/relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--45db63ec-374e-4f52-ac87-cfbfc587bf80", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e4bc29f2-87c8-491d-b51b-d6cede7c1972", + "created": "2023-09-29T16:45:33.777Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:45:33.777Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e5afc447-a241-4773-9a8a-3d6fd205d926.json b/ics-attack/relationship/relationship--e5afc447-a241-4773-9a8a-3d6fd205d926.json index c660480d88..31b678a744 100644 --- a/ics-attack/relationship/relationship--e5afc447-a241-4773-9a8a-3d6fd205d926.json +++ b/ics-attack/relationship/relationship--e5afc447-a241-4773-9a8a-3d6fd205d926.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4aa75c1f-9f8d-456d-8c44-9f2b13c6bf21", + "id": "bundle--c47a739a-50c2-48b8-a5f5-1a9291c3b2c3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506.json b/ics-attack/relationship/relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506.json index f1d0fc2987..2ce549494a 100644 --- a/ics-attack/relationship/relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506.json +++ b/ics-attack/relationship/relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--00df2479-b093-4a3e-ba1f-95b0a97c3ece", + "id": "bundle--3a1d5e02-dde5-47ca-9694-5c78c2e85453", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454.json b/ics-attack/relationship/relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454.json new file mode 100644 index 0000000000..70e9deaf5d --- /dev/null +++ b/ics-attack/relationship/relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--7a6c68f4-1593-402b-ad66-effffe1a5c47", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e5c9aacb-51e3-41d3-995d-9e6ed04a2454", + "created": "2023-10-02T20:17:51.320Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:17:51.320Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e607bb66-e53f-4684-b3f1-36a997e27d01.json b/ics-attack/relationship/relationship--e607bb66-e53f-4684-b3f1-36a997e27d01.json index 160c59283b..1f18a2ce71 100644 --- a/ics-attack/relationship/relationship--e607bb66-e53f-4684-b3f1-36a997e27d01.json +++ b/ics-attack/relationship/relationship--e607bb66-e53f-4684-b3f1-36a997e27d01.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7758dda9-9c5f-4218-be1d-789d958191d1", + "id": "bundle--13bcbed8-c142-4761-93ce-90ad4aa5af1e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb.json b/ics-attack/relationship/relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb.json new file mode 100644 index 0000000000..fb08614b3e --- /dev/null +++ b/ics-attack/relationship/relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--dc234b84-ed08-4f3c-9444-677bcd1dcf55", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e6af4cbd-1b2e-4733-be57-43a845f465eb", + "created": "2023-09-28T20:30:32.778Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:30:32.778Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json b/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json index dcb5689072..ede345cebd 100644 --- a/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json +++ b/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json @@ -1,24 +1,26 @@ { "type": "bundle", - "id": "bundle--54c1be03-dd09-4c6e-9e77-7399aa8f058d", + "id": "bundle--9efff3c2-7b0a-409a-ac86-15d6ab4fdfdf", "spec_version": "2.0", "objects": [ { + "type": "relationship", + "id": "relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "relationship", - "id": "relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.154Z", + "modified": "2023-09-25T20:42:45.693Z", + "description": "All field controllers should restrict the modification of parameter values to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. They should also restrict online edits and enable write protection for parameters. \n", "relationship_type": "mitigates", - "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "3.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] } \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json b/ics-attack/relationship/relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json index cfc2f5f71e..783cbc10a4 100644 --- a/ics-attack/relationship/relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json +++ b/ics-attack/relationship/relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fc860fd7-d661-492c-9ed5-7c73ec5b9ce6", + "id": "bundle--82c1e808-a0ab-484e-bfe4-bf4728443c9e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9.json b/ics-attack/relationship/relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9.json new file mode 100644 index 0000000000..7b83b751f4 --- /dev/null +++ b/ics-attack/relationship/relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--035261d8-0ea3-44f5-9f8c-6fd0c57757c6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e75f88e6-1ffb-467b-b488-46e91cb3e1e9", + "created": "2023-09-28T19:42:16.270Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:42:16.270Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4.json b/ics-attack/relationship/relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4.json index 1d23a3b602..afdff33d81 100644 --- a/ics-attack/relationship/relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4.json +++ b/ics-attack/relationship/relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--60554570-da1b-45b3-83d3-cc84aaafc4bc", + "id": "bundle--db7ad7e5-5791-4fbc-b741-7d124c2eab20", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2.json b/ics-attack/relationship/relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2.json new file mode 100644 index 0000000000..ea0e6db424 --- /dev/null +++ b/ics-attack/relationship/relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--535ee9b7-365c-4b5f-a25f-f062979e09a4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e79825fb-3bd0-41e7-9bdd-257cd3ab44a2", + "created": "2023-09-29T16:45:20.769Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:45:20.769Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42.json b/ics-attack/relationship/relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42.json new file mode 100644 index 0000000000..56fb4125fa --- /dev/null +++ b/ics-attack/relationship/relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--93b3f3fa-3afd-40a7-b13a-30c054aa0728", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e83a79df-2555-4b2f-9ade-b9ed2689ae42", + "created": "2023-09-29T16:39:41.736Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:39:41.736Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json b/ics-attack/relationship/relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json index 4ac1f15ab3..61694e17a0 100644 --- a/ics-attack/relationship/relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json +++ b/ics-attack/relationship/relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8311374c-1d49-4eb8-91db-df48b41e2da9", + "id": "bundle--74d959b4-4949-48a9-8695-aa34c1801eba", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15.json b/ics-attack/relationship/relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15.json index 1f57354068..e55652d0f3 100644 --- a/ics-attack/relationship/relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15.json +++ b/ics-attack/relationship/relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--be63b6e4-1c38-41b5-ab35-30f443914c4c", + "id": "bundle--c02757dc-9e3e-4c64-9c44-f2cd29fd614b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23.json b/ics-attack/relationship/relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23.json index bb65219e98..bbcf7b4073 100644 --- a/ics-attack/relationship/relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23.json +++ b/ics-attack/relationship/relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0fac4006-eb17-4c9a-b363-163e6203feca", + "id": "bundle--4915b9a2-ff89-4278-a84b-06d308103755", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b.json b/ics-attack/relationship/relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b.json index 97d17c61ef..4dcf216d6b 100644 --- a/ics-attack/relationship/relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b.json +++ b/ics-attack/relationship/relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9915c509-21ea-4e33-a47a-b29c3f0e2324", + "id": "bundle--6a665e3c-e588-464e-a52b-80409f5ae09e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8.json b/ics-attack/relationship/relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8.json new file mode 100644 index 0000000000..07c710e7d9 --- /dev/null +++ b/ics-attack/relationship/relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--06da535a-5fb4-4bc2-99b6-9d6a3be1398d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e8ef9bb9-1335-4418-b788-f8220dbbe4c8", + "created": "2023-09-28T19:50:30.312Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:50:30.312Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e915e12c-3d0c-4f60-b119-9414940abb0b.json b/ics-attack/relationship/relationship--e915e12c-3d0c-4f60-b119-9414940abb0b.json new file mode 100644 index 0000000000..d089890e90 --- /dev/null +++ b/ics-attack/relationship/relationship--e915e12c-3d0c-4f60-b119-9414940abb0b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--432f9666-ed61-4208-b130-2239be6d5859", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e915e12c-3d0c-4f60-b119-9414940abb0b", + "created": "2023-09-28T20:08:27.145Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:08:27.145Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42.json b/ics-attack/relationship/relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42.json new file mode 100644 index 0000000000..1a31afcc50 --- /dev/null +++ b/ics-attack/relationship/relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a30d8f97-1d6d-4147-80f8-f6322dbf4b9f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e95fe824-4df1-49a2-abf7-5d76fb47ef42", + "created": "2023-09-28T19:45:18.672Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:45:18.672Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e98892d6-e036-4140-adbb-2932dba51a19.json b/ics-attack/relationship/relationship--e98892d6-e036-4140-adbb-2932dba51a19.json new file mode 100644 index 0000000000..6c22f5c9f0 --- /dev/null +++ b/ics-attack/relationship/relationship--e98892d6-e036-4140-adbb-2932dba51a19.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ee67f497-7df8-4492-9d38-46ef2e5bec99", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--e98892d6-e036-4140-adbb-2932dba51a19", + "created": "2023-09-28T20:08:09.519Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:08:09.519Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--e9f5096e-b9fc-459a-a303-88763b1269cc.json b/ics-attack/relationship/relationship--e9f5096e-b9fc-459a-a303-88763b1269cc.json index 884a1f88cf..e87d416307 100644 --- a/ics-attack/relationship/relationship--e9f5096e-b9fc-459a-a303-88763b1269cc.json +++ b/ics-attack/relationship/relationship--e9f5096e-b9fc-459a-a303-88763b1269cc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--575d9d72-9a87-4f77-9e72-29e5def95648", + "id": "bundle--26829d6d-cbe8-4329-a5d0-d7832c9409b2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ea218d63-d9de-4f63-804a-cb039d804025.json b/ics-attack/relationship/relationship--ea218d63-d9de-4f63-804a-cb039d804025.json deleted file mode 100644 index a416263c6b..0000000000 --- a/ics-attack/relationship/relationship--ea218d63-d9de-4f63-804a-cb039d804025.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--eb5c78c3-e277-4ecd-a106-0a70bf191198", - "spec_version": "2.0", - "objects": [ - { - "type": "relationship", - "id": "relationship--ea218d63-d9de-4f63-804a-cb039d804025", - "created": "2022-09-20T20:54:08.046Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Pinellas County Sheriffs Office February 2021", - "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", - "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-18T13:26:30.893Z", - "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors gained access to the system through remote access software, allowing for the use of the standard operator HMI interface.(Citation: Pinellas County Sheriffs Office February 2021)", - "relationship_type": "uses", - "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - } - ] -} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ea50253a-3220-458b-b810-ad032f2b182f.json b/ics-attack/relationship/relationship--ea50253a-3220-458b-b810-ad032f2b182f.json index 3388808e53..a218f1cce0 100644 --- a/ics-attack/relationship/relationship--ea50253a-3220-458b-b810-ad032f2b182f.json +++ b/ics-attack/relationship/relationship--ea50253a-3220-458b-b810-ad032f2b182f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--48188248-30b3-41d7-aa55-660f69d70284", + "id": "bundle--2071decb-4a16-4667-bc4a-a58346636bf0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a.json b/ics-attack/relationship/relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a.json index aa666c29a6..bd1e3297d3 100644 --- a/ics-attack/relationship/relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a.json +++ b/ics-attack/relationship/relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--db322807-986b-401b-9e5d-735118fc2d6e", + "id": "bundle--85c44f34-8719-46cb-ab93-c86485dfe4d6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ea817c7a-9424-4204-90a5-6f8fb86037be.json b/ics-attack/relationship/relationship--ea817c7a-9424-4204-90a5-6f8fb86037be.json index dcc2099763..38b4038d3d 100644 --- a/ics-attack/relationship/relationship--ea817c7a-9424-4204-90a5-6f8fb86037be.json +++ b/ics-attack/relationship/relationship--ea817c7a-9424-4204-90a5-6f8fb86037be.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--52cd47f3-8634-434b-92ce-915df534ff96", + "id": "bundle--0007e325-a2c1-4701-bdd9-354292b02925", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4.json b/ics-attack/relationship/relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4.json new file mode 100644 index 0000000000..d554e49656 --- /dev/null +++ b/ics-attack/relationship/relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--752743bb-fd45-455b-9720-417438a0501e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--eac205a6-271b-4a86-acf3-6f4ddefb82c4", + "created": "2023-09-29T17:38:59.611Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:38:59.611Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json b/ics-attack/relationship/relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json index b3dc179b10..2aef59b266 100644 --- a/ics-attack/relationship/relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json +++ b/ics-attack/relationship/relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0b93fbb0-49d9-445a-a028-717036e75382", + "id": "bundle--28a25e36-a870-49e1-8691-57c7c8e31e05", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960.json b/ics-attack/relationship/relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960.json new file mode 100644 index 0000000000..0f065aaa6c --- /dev/null +++ b/ics-attack/relationship/relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--603cf205-cfb2-4b73-82d6-042d94b62f7e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--eadb4ca5-ee99-4169-a926-95b1ff82e960", + "created": "2023-09-28T20:28:52.768Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:28:52.768Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53.json b/ics-attack/relationship/relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53.json new file mode 100644 index 0000000000..cda5693c19 --- /dev/null +++ b/ics-attack/relationship/relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--5bd68f0d-afcc-4420-9924-49af2297ea27", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--eae674f9-10a2-41e6-9cd3-205af8e69d53", + "created": "2023-09-28T20:05:15.314Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:05:15.314Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json b/ics-attack/relationship/relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json index 690e93b90b..670d76deb8 100644 --- a/ics-attack/relationship/relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json +++ b/ics-attack/relationship/relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--39b69a5a-374c-4804-b467-66da37d9a1e6", + "id": "bundle--58cdf6bb-0cce-461e-97e4-d72478e03d5a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60.json b/ics-attack/relationship/relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60.json index 089aedaa59..e13a2ffc8c 100644 --- a/ics-attack/relationship/relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60.json +++ b/ics-attack/relationship/relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--df1a99a7-2720-429a-963e-4199e9156c6e", + "id": "bundle--076cc6ed-8e41-4a15-a98f-c12f8e18ab17", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b.json b/ics-attack/relationship/relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b.json new file mode 100644 index 0000000000..7e6b0996b9 --- /dev/null +++ b/ics-attack/relationship/relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f290acb1-2fe6-4e1f-8858-b2ad827dc89e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--eb171086-88e1-4f24-bd7e-c3f8b3c3283b", + "created": "2023-09-28T19:44:09.311Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:44:09.311Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "target_ref": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json b/ics-attack/relationship/relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json index 6f68d342dd..21b897029b 100644 --- a/ics-attack/relationship/relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json +++ b/ics-attack/relationship/relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--28960855-e306-473b-b3b5-75f1c4a99af2", + "id": "bundle--eaca6f3e-f9d4-4451-9645-2c4ec60abbb4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eb5310c6-7500-4b16-8ca7-6678c6232001.json b/ics-attack/relationship/relationship--eb5310c6-7500-4b16-8ca7-6678c6232001.json new file mode 100644 index 0000000000..4ec99f10a2 --- /dev/null +++ b/ics-attack/relationship/relationship--eb5310c6-7500-4b16-8ca7-6678c6232001.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--c14ae608-815c-4027-9d16-46f25b96324d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--eb5310c6-7500-4b16-8ca7-6678c6232001", + "created": "2023-09-29T19:36:38.824Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T19:36:38.824Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json b/ics-attack/relationship/relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json index 4821802f1a..9c24c12412 100644 --- a/ics-attack/relationship/relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json +++ b/ics-attack/relationship/relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c8b44294-16f8-4968-9acd-1cb91dd8ab58", + "id": "bundle--c9a015a4-0d62-4abe-afc6-779afcd89a0b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0.json b/ics-attack/relationship/relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0.json new file mode 100644 index 0000000000..5013258513 --- /dev/null +++ b/ics-attack/relationship/relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--75776e58-3c30-4e0c-b302-3e2a04f01f27", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ebc9f35c-6f95-4bc0-b8b3-f9b515690fa0", + "created": "2023-09-29T17:09:37.977Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:09:37.977Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19.json b/ics-attack/relationship/relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19.json index 3f892a32df..9b7ce4cf4d 100644 --- a/ics-attack/relationship/relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19.json +++ b/ics-attack/relationship/relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--83e17b6c-d363-4a0c-b12f-1b4d0735ad1a", + "id": "bundle--a61f34a4-bab8-4151-82b0-e2caab8f1a14", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643.json b/ics-attack/relationship/relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643.json new file mode 100644 index 0000000000..03cdc78d2a --- /dev/null +++ b/ics-attack/relationship/relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d9086d5e-5291-4f6a-86d9-d236df2079a9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ecaf20c0-d881-45b4-98f2-a456e07d3643", + "created": "2023-09-28T21:25:48.379Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:25:48.379Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json b/ics-attack/relationship/relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json index 579b78bef7..0de7503fd0 100644 --- a/ics-attack/relationship/relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json +++ b/ics-attack/relationship/relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3b1cf2a6-8058-4661-9277-7bedb96cb197", + "id": "bundle--9eb51828-7d69-4934-8ef9-5fc5790b1000", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ed095993-bc85-431e-9621-437143f16d44.json b/ics-attack/relationship/relationship--ed095993-bc85-431e-9621-437143f16d44.json new file mode 100644 index 0000000000..ebdd3c4c02 --- /dev/null +++ b/ics-attack/relationship/relationship--ed095993-bc85-431e-9621-437143f16d44.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ce5dbbc8-d45e-46a7-b2a2-c8dda2d234db", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ed095993-bc85-431e-9621-437143f16d44", + "created": "2023-09-29T17:44:09.285Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:44:09.285Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ed3ce006-cf41-46f6-bd86-054314c130dc.json b/ics-attack/relationship/relationship--ed3ce006-cf41-46f6-bd86-054314c130dc.json new file mode 100644 index 0000000000..80c7637eb4 --- /dev/null +++ b/ics-attack/relationship/relationship--ed3ce006-cf41-46f6-bd86-054314c130dc.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--347aa3fa-bd6d-43f9-8e59-dce13fe6537f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ed3ce006-cf41-46f6-bd86-054314c130dc", + "created": "2023-09-28T21:15:57.120Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:15:57.120Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ed3ef546-566a-46c7-918e-7bfa10d05991.json b/ics-attack/relationship/relationship--ed3ef546-566a-46c7-918e-7bfa10d05991.json new file mode 100644 index 0000000000..e1297a38b6 --- /dev/null +++ b/ics-attack/relationship/relationship--ed3ef546-566a-46c7-918e-7bfa10d05991.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e74c7ae1-f711-453c-b2dc-27a21b936bc4", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ed3ef546-566a-46c7-918e-7bfa10d05991", + "created": "2023-09-29T17:06:47.370Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:06:47.370Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ed66e087-8877-4146-a16a-44cfd144a3d8.json b/ics-attack/relationship/relationship--ed66e087-8877-4146-a16a-44cfd144a3d8.json new file mode 100644 index 0000000000..e06b1293de --- /dev/null +++ b/ics-attack/relationship/relationship--ed66e087-8877-4146-a16a-44cfd144a3d8.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--9d0bd5f4-a3a5-4c5b-b8d5-2d5bd0411286", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ed66e087-8877-4146-a16a-44cfd144a3d8", + "created": "2023-09-29T17:07:00.450Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:07:00.450Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ed8b97e2-5966-4844-a636-524541a46e43.json b/ics-attack/relationship/relationship--ed8b97e2-5966-4844-a636-524541a46e43.json new file mode 100644 index 0000000000..3a694d90c5 --- /dev/null +++ b/ics-attack/relationship/relationship--ed8b97e2-5966-4844-a636-524541a46e43.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--9f1a64d3-4f34-4021-94ca-9ca33b3e4352", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ed8b97e2-5966-4844-a636-524541a46e43", + "created": "2023-09-29T16:39:18.448Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:39:18.448Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb.json b/ics-attack/relationship/relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb.json new file mode 100644 index 0000000000..b2e9c90ca5 --- /dev/null +++ b/ics-attack/relationship/relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--caa32a20-6b50-4210-b760-228f2efff955", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--edaa6f5c-1b59-4ecb-a20f-716a61cdaccb", + "created": "2023-09-29T16:39:29.206Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:39:29.206Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6.json b/ics-attack/relationship/relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6.json index 6efb824c72..34a1c5a3fd 100644 --- a/ics-attack/relationship/relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6.json +++ b/ics-attack/relationship/relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c13cc7d1-182c-4f47-9470-2b7dd8a724f6", + "id": "bundle--dc2f903c-65aa-4901-89e9-5d6ba4ed3eeb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b.json b/ics-attack/relationship/relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b.json new file mode 100644 index 0000000000..cd0a0730ef --- /dev/null +++ b/ics-attack/relationship/relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--82f63144-1ccf-4f14-a180-021ff990f7db", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--edccbe1f-a07a-405e-9b9a-b247ce3dcc9b", + "created": "2023-09-29T17:58:54.996Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:58:54.996Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1.json b/ics-attack/relationship/relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1.json new file mode 100644 index 0000000000..10f08ab554 --- /dev/null +++ b/ics-attack/relationship/relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--8aca5238-f09d-41a6-bbc2-e55246c55735", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ede2b798-2f39-419e-a7d3-8f0c733af4c1", + "created": "2023-09-28T21:12:00.004Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:12:00.004Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json b/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json index 5b83d2713b..5452424b1b 100644 --- a/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json +++ b/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1d3e94e7-35b8-4f27-98ac-0700430b34da", + "id": "bundle--8bc195b9-efc9-477d-a0e1-be882f1ed882", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2.json b/ics-attack/relationship/relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2.json new file mode 100644 index 0000000000..5e8ad978e2 --- /dev/null +++ b/ics-attack/relationship/relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--066732c6-68e0-4153-bd3d-96a492e2cb97", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--edfa4bcb-6304-42df-b7c6-8caf480c66f2", + "created": "2023-09-29T17:58:04.082Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:58:04.082Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a.json b/ics-attack/relationship/relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a.json index 3ee58b2379..f1486f8390 100644 --- a/ics-attack/relationship/relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a.json +++ b/ics-attack/relationship/relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--930d6101-e787-494b-8e37-20692673b360", + "id": "bundle--eac033c0-d221-4400-97bc-1196607102f0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e.json b/ics-attack/relationship/relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e.json index fd267ab76c..977fa2f42b 100644 --- a/ics-attack/relationship/relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e.json +++ b/ics-attack/relationship/relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f3b44ae3-6916-4c81-91d0-9ba3d01abeae", + "id": "bundle--5c030eed-89ad-4929-86b9-faa0d5893800", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json b/ics-attack/relationship/relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json index c1fa24ab31..bc00b72fe4 100644 --- a/ics-attack/relationship/relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json +++ b/ics-attack/relationship/relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e1629bed-4382-4971-947b-6931e2ba9781", + "id": "bundle--37012c9f-61f5-48d5-b80d-ee27226dcb32", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97.json b/ics-attack/relationship/relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97.json new file mode 100644 index 0000000000..972a0a3892 --- /dev/null +++ b/ics-attack/relationship/relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--da1c1d8e-6a0a-4432-9214-587e01870dff", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ee72cc27-2e78-47c4-8786-1351f9bcee97", + "created": "2023-09-28T20:05:33.450Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:05:33.450Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ee89466e-0655-4217-844d-fb8ea4f76247.json b/ics-attack/relationship/relationship--ee89466e-0655-4217-844d-fb8ea4f76247.json index 5d26cf8136..e264bade16 100644 --- a/ics-attack/relationship/relationship--ee89466e-0655-4217-844d-fb8ea4f76247.json +++ b/ics-attack/relationship/relationship--ee89466e-0655-4217-844d-fb8ea4f76247.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2bdc4127-af29-4beb-8c75-bda51c1383e1", + "id": "bundle--aca6db9d-3c6f-401d-bf89-e8bea07b7e65", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6.json b/ics-attack/relationship/relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6.json new file mode 100644 index 0000000000..25a7380a08 --- /dev/null +++ b/ics-attack/relationship/relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--f3d98399-b10f-4109-92a6-af7adda430ff", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--eebae2f3-aaa1-4410-8b75-db5bdac1d4d6", + "created": "2023-09-28T20:04:07.868Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:04:07.868Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3.json b/ics-attack/relationship/relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3.json index ca3a3f5de1..5d0023d0f5 100644 --- a/ics-attack/relationship/relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3.json +++ b/ics-attack/relationship/relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e965ce9c-148c-49fd-9fc2-4a3bcece403e", + "id": "bundle--1f828696-43db-4b02-b607-01d38efcd59d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json b/ics-attack/relationship/relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json index 7cb53a0b55..da84fd67da 100644 --- a/ics-attack/relationship/relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json +++ b/ics-attack/relationship/relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1ef58dde-9206-4d17-ba9d-0ea6769f00f8", + "id": "bundle--7fbc2521-7230-4abf-925e-50f6140b6429", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8.json b/ics-attack/relationship/relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8.json new file mode 100644 index 0000000000..0634e3f77c --- /dev/null +++ b/ics-attack/relationship/relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--02e08e6c-2551-4166-a0e8-62f191489ec3", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--eeeb83cb-0a8a-412b-aae2-aede7c43d8e8", + "created": "2023-09-28T21:11:45.241Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:11:45.241Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--eeeff03f-7436-4f76-8591-42075e6647d4.json b/ics-attack/relationship/relationship--eeeff03f-7436-4f76-8591-42075e6647d4.json index c846378dca..49fc3ec602 100644 --- a/ics-attack/relationship/relationship--eeeff03f-7436-4f76-8591-42075e6647d4.json +++ b/ics-attack/relationship/relationship--eeeff03f-7436-4f76-8591-42075e6647d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--95db3e89-386a-4e82-b067-1e48cb2bf5fa", + "id": "bundle--110638f1-866b-47c2-83a8-511e18c6fd7c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3.json b/ics-attack/relationship/relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3.json new file mode 100644 index 0000000000..3d437f1cb4 --- /dev/null +++ b/ics-attack/relationship/relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--59cbe873-f0c3-4ad3-8c4f-2982fb49cfd5", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ef60735b-c64b-465c-9e5f-46a4d3a49fb3", + "created": "2023-09-28T19:54:48.577Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:54:48.577Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693.json b/ics-attack/relationship/relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693.json index 7019e01f8a..5573c1020e 100644 --- a/ics-attack/relationship/relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693.json +++ b/ics-attack/relationship/relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b28bf4ad-bbd4-483d-821d-623e32ef42b3", + "id": "bundle--6ad13652-162a-4b07-bb30-2b8d233a6a1e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--efb80069-e4be-4055-bd34-06d1376b4601.json b/ics-attack/relationship/relationship--efb80069-e4be-4055-bd34-06d1376b4601.json index 50eb5792a5..3c1567942c 100644 --- a/ics-attack/relationship/relationship--efb80069-e4be-4055-bd34-06d1376b4601.json +++ b/ics-attack/relationship/relationship--efb80069-e4be-4055-bd34-06d1376b4601.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1e662e0d-8efc-411f-825c-555df4e4ca6a", + "id": "bundle--f9bd6ef5-d9a3-45ab-a163-3b7007ba9e95", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0.json b/ics-attack/relationship/relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0.json new file mode 100644 index 0000000000..39935aae3d --- /dev/null +++ b/ics-attack/relationship/relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--6ae70c68-d89d-4e50-badc-4ed63e6ef381", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--eff19f74-4940-4c8e-a3b3-b3c16fe3f5e0", + "created": "2023-09-29T16:39:09.447Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:39:09.447Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f05a2592-00f9-4f1f-ba55-395af5444b96.json b/ics-attack/relationship/relationship--f05a2592-00f9-4f1f-ba55-395af5444b96.json new file mode 100644 index 0000000000..48c855b163 --- /dev/null +++ b/ics-attack/relationship/relationship--f05a2592-00f9-4f1f-ba55-395af5444b96.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--dec5c79b-29a7-4659-843e-e5505b2750cd", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f05a2592-00f9-4f1f-ba55-395af5444b96", + "created": "2023-09-29T17:42:29.179Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:42:29.179Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f08d487a-7837-48f9-9301-fe0f9f144c92.json b/ics-attack/relationship/relationship--f08d487a-7837-48f9-9301-fe0f9f144c92.json new file mode 100644 index 0000000000..ba09cade5e --- /dev/null +++ b/ics-attack/relationship/relationship--f08d487a-7837-48f9-9301-fe0f9f144c92.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--92975234-6821-4b6d-809a-dadb6d4e3e64", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f08d487a-7837-48f9-9301-fe0f9f144c92", + "created": "2023-09-28T20:31:04.691Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:31:04.691Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json b/ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json index 30fd47fc81..a4e945cf29 100644 --- a/ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json +++ b/ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2ac36275-1ce3-4497-b500-8b7baf3d3b03", + "id": "bundle--9a45420d-6887-47c6-add8-bf823d12ff7f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json b/ics-attack/relationship/relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json index 23c1ea7969..8f55826238 100644 --- a/ics-attack/relationship/relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json +++ b/ics-attack/relationship/relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--20cf343d-9ac1-4d8b-8e73-8e618962e5c9", + "id": "bundle--2098629d-84e3-4759-929b-d797f819a5df", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2.json b/ics-attack/relationship/relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2.json index 7e9a4ccef3..d9b4a62266 100644 --- a/ics-attack/relationship/relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2.json +++ b/ics-attack/relationship/relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1c4308bb-79ce-4b98-aa1a-3eec3d19130c", + "id": "bundle--25c21a4f-8263-474b-b499-bf57a64598e7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d.json b/ics-attack/relationship/relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d.json new file mode 100644 index 0000000000..1c114ed017 --- /dev/null +++ b/ics-attack/relationship/relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--1358af8a-59c3-4212-90f7-b83173c54f3a", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f0d4d23c-2c8c-4731-9b81-7c86fed25b5d", + "created": "2023-09-29T18:45:34.258Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:45:34.258Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb.json b/ics-attack/relationship/relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb.json new file mode 100644 index 0000000000..226fe781f5 --- /dev/null +++ b/ics-attack/relationship/relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--dfd22cf6-e574-498a-a627-678b6571a39c", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f10611e9-4812-4780-a1d5-0ad537dd95fb", + "created": "2023-09-28T21:23:01.421Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:23:01.421Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f130282b-f681-455f-966b-55829842be92.json b/ics-attack/relationship/relationship--f130282b-f681-455f-966b-55829842be92.json index 4bdd34da8a..8b61d05a4a 100644 --- a/ics-attack/relationship/relationship--f130282b-f681-455f-966b-55829842be92.json +++ b/ics-attack/relationship/relationship--f130282b-f681-455f-966b-55829842be92.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f7c2d0c9-666e-48ad-8058-7619429644fb", + "id": "bundle--f45d4ba3-fdc3-43c3-adbb-25b8c371b095", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8.json b/ics-attack/relationship/relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8.json new file mode 100644 index 0000000000..c95bede392 --- /dev/null +++ b/ics-attack/relationship/relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--03276b54-2159-4553-9e84-539ff22d8434", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f13dac1a-090b-40c6-9093-eb4abe0deba8", + "created": "2023-09-28T21:24:22.815Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:24:22.815Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f145b7e5-048b-46e7-8439-e2b88917523c.json b/ics-attack/relationship/relationship--f145b7e5-048b-46e7-8439-e2b88917523c.json index 64c7572209..539cf94dbc 100644 --- a/ics-attack/relationship/relationship--f145b7e5-048b-46e7-8439-e2b88917523c.json +++ b/ics-attack/relationship/relationship--f145b7e5-048b-46e7-8439-e2b88917523c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cf0155be-328d-4393-9b34-48beadefd780", + "id": "bundle--f5d037c8-5561-4abd-b933-055d200e21f0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f15f24d2-e581-46ce-83e4-a924f572aae6.json b/ics-attack/relationship/relationship--f15f24d2-e581-46ce-83e4-a924f572aae6.json index e0c7f2b650..76a19c96b8 100644 --- a/ics-attack/relationship/relationship--f15f24d2-e581-46ce-83e4-a924f572aae6.json +++ b/ics-attack/relationship/relationship--f15f24d2-e581-46ce-83e4-a924f572aae6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0ab1a9f7-d53f-4b6c-9ab9-0237bab43c37", + "id": "bundle--b3220ea2-b9c9-42cf-bec0-8286d53a323a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f19c34b2-ef3a-4581-b604-6639f501e32f.json b/ics-attack/relationship/relationship--f19c34b2-ef3a-4581-b604-6639f501e32f.json new file mode 100644 index 0000000000..f0218a2207 --- /dev/null +++ b/ics-attack/relationship/relationship--f19c34b2-ef3a-4581-b604-6639f501e32f.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--25a9f75f-109b-486b-9f24-14e44c8fee69", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f19c34b2-ef3a-4581-b604-6639f501e32f", + "created": "2023-10-02T20:20:32.163Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:20:32.163Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704.json b/ics-attack/relationship/relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704.json new file mode 100644 index 0000000000..0b76775f97 --- /dev/null +++ b/ics-attack/relationship/relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4b7072af-5558-4d32-b75c-e52085b53c28", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f1edb034-6dc6-4d6c-8f75-e2cd12213704", + "created": "2023-09-29T17:07:38.219Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:07:38.219Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f.json b/ics-attack/relationship/relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f.json index 3124c5833a..da81c05d1a 100644 --- a/ics-attack/relationship/relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f.json +++ b/ics-attack/relationship/relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--819feeeb-c32b-42ba-998e-d9baf9c4453e", + "id": "bundle--f76e69cc-8bb9-454b-b715-ab708514344e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f29ecf69-1753-44bb-9b80-1025f49cadda.json b/ics-attack/relationship/relationship--f29ecf69-1753-44bb-9b80-1025f49cadda.json index c5dcb89d42..6e8f359390 100644 --- a/ics-attack/relationship/relationship--f29ecf69-1753-44bb-9b80-1025f49cadda.json +++ b/ics-attack/relationship/relationship--f29ecf69-1753-44bb-9b80-1025f49cadda.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8a00dda5-8a2b-42ab-b26c-153fa68358a8", + "id": "bundle--c7148799-26e9-4cae-8a95-2cdaef6bdcf2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361.json b/ics-attack/relationship/relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361.json index f6cb27c3f5..921b116ff9 100644 --- a/ics-attack/relationship/relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361.json +++ b/ics-attack/relationship/relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--880c98dc-2499-470c-b24f-936808be7e0d", + "id": "bundle--e9b6160f-2d57-46d6-bc6e-b2728bc45e5b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7.json b/ics-attack/relationship/relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7.json index b402805ff5..6b077c144e 100644 --- a/ics-attack/relationship/relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7.json +++ b/ics-attack/relationship/relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--58e13dcb-8be1-49a5-9889-c0309ad83806", + "id": "bundle--98fdc9eb-7fd5-4dd9-b8cd-de38d5ba8f8f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json b/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json index f2104870dc..ded902d0c4 100644 --- a/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json +++ b/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a5694cf6-a521-431f-bab5-5c501c540863", + "id": "bundle--594c6d66-68be-4022-bfda-8d06b5ca128c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b.json b/ics-attack/relationship/relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b.json new file mode 100644 index 0000000000..cf6c65ea67 --- /dev/null +++ b/ics-attack/relationship/relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ef8429b0-285b-40a3-9a3c-2748c1171c4f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f353e8ec-0766-4fbd-86b7-9ea06b52958b", + "created": "2023-09-28T21:23:51.038Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:23:51.038Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f3810d69-0eff-4d62-bdf1-2870cf676bba.json b/ics-attack/relationship/relationship--f3810d69-0eff-4d62-bdf1-2870cf676bba.json index ea005e3129..6b378b6380 100644 --- a/ics-attack/relationship/relationship--f3810d69-0eff-4d62-bdf1-2870cf676bba.json +++ b/ics-attack/relationship/relationship--f3810d69-0eff-4d62-bdf1-2870cf676bba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ad0443a6-e855-45fb-89b5-0c3f4489192e", + "id": "bundle--8c863819-ab13-4b73-884e-d1b624e2b2bf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48.json b/ics-attack/relationship/relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48.json index f347638262..188fd83345 100644 --- a/ics-attack/relationship/relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48.json +++ b/ics-attack/relationship/relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3d2f2c5d-d91d-4f3a-9384-9df44f50babf", + "id": "bundle--375c0fa7-5654-44f5-9a4c-a39aa2e0786d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f45c2df8-30e7-45d0-8067-7b2870767574.json b/ics-attack/relationship/relationship--f45c2df8-30e7-45d0-8067-7b2870767574.json index 4e70e99d5b..d941087944 100644 --- a/ics-attack/relationship/relationship--f45c2df8-30e7-45d0-8067-7b2870767574.json +++ b/ics-attack/relationship/relationship--f45c2df8-30e7-45d0-8067-7b2870767574.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ad27343d-b5fd-48aa-9b62-0429a91495ce", + "id": "bundle--b879c120-df13-43da-96ae-a1d508c06d80", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827.json b/ics-attack/relationship/relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827.json index 0a4b075d0e..09e0666d76 100644 --- a/ics-attack/relationship/relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827.json +++ b/ics-attack/relationship/relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--93a2e598-83e0-4868-af63-f05597412d8d", + "id": "bundle--ca26e596-c8f9-4e7b-87f3-ec9876a3bd3d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1.json b/ics-attack/relationship/relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1.json new file mode 100644 index 0000000000..5735b0f16d --- /dev/null +++ b/ics-attack/relationship/relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--4e2d9fd5-513e-4fe1-8117-8c81dce78134", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f4afb180-4b30-4ed1-b094-3d74d8fd0cf1", + "created": "2023-09-28T19:49:56.464Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:49:56.464Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67.json b/ics-attack/relationship/relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67.json index d9e335d118..7d9a6fe8ca 100644 --- a/ics-attack/relationship/relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67.json +++ b/ics-attack/relationship/relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1f103245-4627-45d4-97aa-581ebf2e3361", + "id": "bundle--784362a1-43d6-4600-bf01-990be1e7ba01", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f531e763-3550-40ba-a6a1-81e208ca12c6.json b/ics-attack/relationship/relationship--f531e763-3550-40ba-a6a1-81e208ca12c6.json new file mode 100644 index 0000000000..109eaefdfd --- /dev/null +++ b/ics-attack/relationship/relationship--f531e763-3550-40ba-a6a1-81e208ca12c6.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--5d6ec5ec-ffff-47b9-b648-0df6392ea2ab", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f531e763-3550-40ba-a6a1-81e208ca12c6", + "created": "2023-09-29T16:41:06.217Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:41:06.217Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7.json b/ics-attack/relationship/relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7.json new file mode 100644 index 0000000000..a6db53f9e1 --- /dev/null +++ b/ics-attack/relationship/relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--9a33adac-249c-40b3-aa07-8c782cac4dd9", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f5621ad9-c905-42e3-b59b-e0ae7b9051c7", + "created": "2023-09-28T21:26:23.361Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:26:23.361Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f584a257-c22a-434b-aa2d-6220987821ab.json b/ics-attack/relationship/relationship--f584a257-c22a-434b-aa2d-6220987821ab.json index 08bc2f0a2d..88fe33aa0c 100644 --- a/ics-attack/relationship/relationship--f584a257-c22a-434b-aa2d-6220987821ab.json +++ b/ics-attack/relationship/relationship--f584a257-c22a-434b-aa2d-6220987821ab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5c83075b-c638-425f-96b2-f048cf869cd5", + "id": "bundle--78b4be93-93a3-49ad-a7cd-e996d7af714d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545.json b/ics-attack/relationship/relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545.json new file mode 100644 index 0000000000..3fcba34385 --- /dev/null +++ b/ics-attack/relationship/relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a2966081-6122-4124-aca4-6f7f3d7222cc", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f5c91d82-5f7c-4e40-a85a-4f1909ae5545", + "created": "2023-09-29T18:44:50.280Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:44:50.280Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f5c9f641-a498-46b5-9068-39502db53cfd.json b/ics-attack/relationship/relationship--f5c9f641-a498-46b5-9068-39502db53cfd.json new file mode 100644 index 0000000000..a36223dec0 --- /dev/null +++ b/ics-attack/relationship/relationship--f5c9f641-a498-46b5-9068-39502db53cfd.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d9d3c30b-ad4f-47db-bb15-735e86abada6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f5c9f641-a498-46b5-9068-39502db53cfd", + "created": "2023-09-28T20:10:55.590Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:10:55.590Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4.json b/ics-attack/relationship/relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4.json new file mode 100644 index 0000000000..c19f649320 --- /dev/null +++ b/ics-attack/relationship/relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--3cfbfc18-0a09-4091-903e-865a998bd418", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f61944a4-fef5-4989-bc3d-68f86e65d7d4", + "created": "2023-09-29T17:04:55.720Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:04:55.720Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51.json b/ics-attack/relationship/relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51.json new file mode 100644 index 0000000000..8ea09977a0 --- /dev/null +++ b/ics-attack/relationship/relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--47d4691c-f77e-4da8-9938-5a211e98ee6f", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f61e474c-d7be-411e-a30e-0a1ef872fe51", + "created": "2023-09-29T17:05:20.132Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:05:20.132Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "target_ref": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json b/ics-attack/relationship/relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json index 1c577b3bc5..d431207549 100644 --- a/ics-attack/relationship/relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json +++ b/ics-attack/relationship/relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6435d13a-9861-494d-a35b-12db1bf74ca9", + "id": "bundle--5fa2490f-9195-47f7-b960-b6cf9a099f5d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659.json b/ics-attack/relationship/relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659.json new file mode 100644 index 0000000000..341bd39670 --- /dev/null +++ b/ics-attack/relationship/relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--bff2801c-d546-40f0-95f8-424da1544173", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f65fa052-5ad0-4fc3-b579-ee33d1225659", + "created": "2023-09-28T19:55:58.229Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:55:58.229Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f664bf42-5fb2-41e5-b790-978ddf866da3.json b/ics-attack/relationship/relationship--f664bf42-5fb2-41e5-b790-978ddf866da3.json index e2e17f7b8f..148ed97003 100644 --- a/ics-attack/relationship/relationship--f664bf42-5fb2-41e5-b790-978ddf866da3.json +++ b/ics-attack/relationship/relationship--f664bf42-5fb2-41e5-b790-978ddf866da3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0f3f9e02-0ea8-4c20-89e5-de1663fcc141", + "id": "bundle--1f417359-0ee0-44be-a761-55b3e34bd868", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6.json b/ics-attack/relationship/relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6.json new file mode 100644 index 0000000000..11450b568b --- /dev/null +++ b/ics-attack/relationship/relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--cd467f78-8fff-4101-b8f8-69e819ba11dc", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f691dde5-bb2d-411b-a381-b33e0ab673d6", + "created": "2023-09-28T20:12:09.661Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:12:09.661Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "target_ref": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f6ff74c2-d088-4252-a8e0-189574863765.json b/ics-attack/relationship/relationship--f6ff74c2-d088-4252-a8e0-189574863765.json index 21aeeba5bb..88732d55d0 100644 --- a/ics-attack/relationship/relationship--f6ff74c2-d088-4252-a8e0-189574863765.json +++ b/ics-attack/relationship/relationship--f6ff74c2-d088-4252-a8e0-189574863765.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7873f32b-4929-4036-948d-6c312891d3ac", + "id": "bundle--4fcb5136-c2d9-4b09-acbc-bdd9bc1d4645", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json b/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json index f981ffe6e6..8ae804bb75 100644 --- a/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json +++ b/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e9a0d105-e7d9-454a-916a-4af8349c6f3f", + "id": "bundle--0ccf66a8-cc7f-4f36-bcfe-fcdf08573584", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c.json b/ics-attack/relationship/relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c.json new file mode 100644 index 0000000000..06dc5f87af --- /dev/null +++ b/ics-attack/relationship/relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--499c3a6e-ff67-4cc1-9260-4c0ccd14171d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f7215c1f-7bd7-41bd-8466-76caac225c7c", + "created": "2023-09-29T16:45:42.977Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:45:42.977Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "target_ref": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846.json b/ics-attack/relationship/relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846.json new file mode 100644 index 0000000000..bf2aa61a92 --- /dev/null +++ b/ics-attack/relationship/relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--2e7f9f5d-5223-4816-afc0-c22137c73529", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f72a7a30-bab4-445b-b226-d5c3cd1a5846", + "created": "2023-09-29T18:47:39.450Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T18:47:39.450Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "target_ref": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138.json b/ics-attack/relationship/relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138.json new file mode 100644 index 0000000000..a352519989 --- /dev/null +++ b/ics-attack/relationship/relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e3e299c4-db57-4791-86c7-edfdb8a53a46", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f7bdbc1f-d08c-48a0-a474-a79b91526138", + "created": "2023-09-28T20:31:31.498Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:31:31.498Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df.json b/ics-attack/relationship/relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df.json new file mode 100644 index 0000000000..f0fe7470e1 --- /dev/null +++ b/ics-attack/relationship/relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df.json @@ -0,0 +1,38 @@ +{ + "type": "bundle", + "id": "bundle--d9f1cc22-63b0-4277-8634-77cf9dd17037", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f7c5bd1b-c596-41b2-b415-2bf5179667df", + "created": "2023-09-27T14:58:21.360Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + }, + { + "source_name": "Ukraine15 - EISAC - 201603", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018.", + "url": "https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-04T17:03:24.268Z", + "description": "During the [2015 Ukraine Electric Power Attack](https://attack.mitre.org/campaigns/C0028), [Sandworm Team](https://attack.mitre.org/groups/G0034) opened the breakers at the infected sites, shutting the power off for thousands of businesses and households for around 6 hours. (Citation: Ukraine15 - EISAC - 201603)(Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "campaign--46421788-b6e1-4256-b351-f8beffd1afba", + "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740.json b/ics-attack/relationship/relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740.json index 02707e23eb..47714a7a8c 100644 --- a/ics-attack/relationship/relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740.json +++ b/ics-attack/relationship/relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a4fc0779-795a-43f7-b0ff-787196627699", + "id": "bundle--3e72c1e5-2082-4778-b1eb-8adc5959fe3e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089.json b/ics-attack/relationship/relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089.json new file mode 100644 index 0000000000..845385d345 --- /dev/null +++ b/ics-attack/relationship/relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--44e53e50-b546-4ab0-8386-ebc5982a98cb", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f8456c9b-a4a5-4f13-94e3-54c787b21089", + "created": "2023-09-28T20:16:40.519Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:16:40.519Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f862418a-e7b4-4783-8949-7145f3dee665.json b/ics-attack/relationship/relationship--f862418a-e7b4-4783-8949-7145f3dee665.json index 66085fac05..0606a668a8 100644 --- a/ics-attack/relationship/relationship--f862418a-e7b4-4783-8949-7145f3dee665.json +++ b/ics-attack/relationship/relationship--f862418a-e7b4-4783-8949-7145f3dee665.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b7ca164f-b5fb-496d-bf81-6180c662519c", + "id": "bundle--4b600024-c591-4104-8242-ff1b17f59508", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702.json b/ics-attack/relationship/relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702.json index 7b2d9b0317..26302a5c76 100644 --- a/ics-attack/relationship/relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702.json +++ b/ics-attack/relationship/relationship--f86bde61-c4ec-4d40-9768-32e9b52c1702.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6b5a9735-7bcc-4826-a212-153ff9719ab3", + "id": "bundle--d2e3763e-73df-467b-b604-fbd5a0cd3f66", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2.json b/ics-attack/relationship/relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2.json index 2bf216a702..9bb38dcaa3 100644 --- a/ics-attack/relationship/relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2.json +++ b/ics-attack/relationship/relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c95a8d87-afcc-4e07-86b6-15e43a5cbfff", + "id": "bundle--02c8071d-d055-44a8-9508-56fbac959001", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f92764db-a880-4726-9d28-a035170f790c.json b/ics-attack/relationship/relationship--f92764db-a880-4726-9d28-a035170f790c.json new file mode 100644 index 0000000000..e8abd98dd1 --- /dev/null +++ b/ics-attack/relationship/relationship--f92764db-a880-4726-9d28-a035170f790c.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--484a1354-b7cd-4b13-8008-df4aac071d64", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f92764db-a880-4726-9d28-a035170f790c", + "created": "2023-09-28T21:22:35.236Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:22:35.236Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f951d934-d555-45e9-a564-27b84518cae4.json b/ics-attack/relationship/relationship--f951d934-d555-45e9-a564-27b84518cae4.json index e418bc9cf3..43c1135aeb 100644 --- a/ics-attack/relationship/relationship--f951d934-d555-45e9-a564-27b84518cae4.json +++ b/ics-attack/relationship/relationship--f951d934-d555-45e9-a564-27b84518cae4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b4418a88-4a55-4393-9bfb-25453929dedc", + "id": "bundle--c763da2f-cdc0-4d1d-acfa-7f07115bd8b0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c.json b/ics-attack/relationship/relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c.json index 7c2bfb14ae..3e37230ab5 100644 --- a/ics-attack/relationship/relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c.json +++ b/ics-attack/relationship/relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--79085103-a58a-4b9e-9c43-9374fcbbd3ea", + "id": "bundle--378e7f99-ac59-40e9-8681-5ae65eaf6abd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b.json b/ics-attack/relationship/relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b.json new file mode 100644 index 0000000000..fe3cd7aa3d --- /dev/null +++ b/ics-attack/relationship/relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--53227170-5935-407f-97d5-44179a4b5c43", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--f9907fb1-976b-4f51-ac13-b45f2ff9452b", + "created": "2023-09-28T19:48:37.072Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:48:37.072Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0.json b/ics-attack/relationship/relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0.json index bac13f4562..f3ff507264 100644 --- a/ics-attack/relationship/relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0.json +++ b/ics-attack/relationship/relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f5210985-6745-4cc5-b41b-ea29bf387447", + "id": "bundle--3834135b-cae7-4dbe-b979-714b267521aa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json b/ics-attack/relationship/relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json index 13cd42ce71..80678423b8 100644 --- a/ics-attack/relationship/relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json +++ b/ics-attack/relationship/relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7da3cdb2-8581-4f95-8371-464de9373af5", + "id": "bundle--4cc29c2c-dbe5-44a2-969d-36faa182f1ac", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa.json b/ics-attack/relationship/relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa.json index e59288d7fe..622d40fec8 100644 --- a/ics-attack/relationship/relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa.json +++ b/ics-attack/relationship/relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8cb62f2e-9447-45e1-b7b1-754e4d624d7a", + "id": "bundle--460e6127-cb55-46c8-94a8-3e5ca9e48ce9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0.json b/ics-attack/relationship/relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0.json new file mode 100644 index 0000000000..00b1224bad --- /dev/null +++ b/ics-attack/relationship/relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--a48dc206-6939-4325-8814-4a53411b649b", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fac4bc88-af9b-4eec-b041-e4138b49c3c0", + "created": "2023-09-29T16:28:04.180Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T16:28:04.180Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fad25140-73de-40d5-a010-3464188db973.json b/ics-attack/relationship/relationship--fad25140-73de-40d5-a010-3464188db973.json new file mode 100644 index 0000000000..d503b1ae77 --- /dev/null +++ b/ics-attack/relationship/relationship--fad25140-73de-40d5-a010-3464188db973.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--6ef8344c-cd00-499d-8755-1defe1d3eb56", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fad25140-73de-40d5-a010-3464188db973", + "created": "2023-09-25T20:51:07.162Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-25T20:51:07.162Z", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and\u00a0User Account Management.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fadbdca3-3c98-497c-a156-e53b89664359.json b/ics-attack/relationship/relationship--fadbdca3-3c98-497c-a156-e53b89664359.json new file mode 100644 index 0000000000..1ef2ecff9c --- /dev/null +++ b/ics-attack/relationship/relationship--fadbdca3-3c98-497c-a156-e53b89664359.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--ba954545-2548-46af-8b09-8debb2790c52", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fadbdca3-3c98-497c-a156-e53b89664359", + "created": "2023-09-28T20:16:55.038Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T20:16:55.038Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "target_ref": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161.json b/ics-attack/relationship/relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161.json index e89f5818a3..5ce8318e98 100644 --- a/ics-attack/relationship/relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161.json +++ b/ics-attack/relationship/relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6de6ffe5-33d4-490c-b16f-dcd44b4b0862", + "id": "bundle--9b4ce7cd-a579-4594-bf83-e2eaad61ee1a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1.json b/ics-attack/relationship/relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1.json new file mode 100644 index 0000000000..7ab7ad281a --- /dev/null +++ b/ics-attack/relationship/relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--98e2e2c0-1c34-406a-86dd-dfdc8b81fb63", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fc189fa0-1235-46ac-a802-f226dc0ec4e1", + "created": "2023-09-29T17:38:28.664Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-29T17:38:28.664Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c.json b/ics-attack/relationship/relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c.json index 24c0f17f38..c5e2b2bfcb 100644 --- a/ics-attack/relationship/relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c.json +++ b/ics-attack/relationship/relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5150c355-da60-4545-942f-e05b0c990a36", + "id": "bundle--b7deea39-7879-4863-b126-3683b491cf6e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9.json b/ics-attack/relationship/relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9.json index 46b1be2ca1..28dc15d44b 100644 --- a/ics-attack/relationship/relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9.json +++ b/ics-attack/relationship/relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f2bbdc55-1d66-4999-8df5-4ff3226eeb1c", + "id": "bundle--0b3f063e-50eb-4d73-876f-803edadf9bcf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json b/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json index f2f261719d..377fc33b49 100644 --- a/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json +++ b/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ec4162c6-78b7-4e8f-bb4e-26114d59f0cf", + "id": "bundle--7ee5df03-d2c5-4a80-8ab3-d56622973a95", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d.json b/ics-attack/relationship/relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d.json index 78997362f9..65016b0367 100644 --- a/ics-attack/relationship/relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d.json +++ b/ics-attack/relationship/relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--85a2fb2f-44e8-47ff-8a74-a0ebbedbc59c", + "id": "bundle--82db69b9-8821-4f3a-814e-57587946d110", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json b/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json index d113d21681..96611d1edb 100644 --- a/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json +++ b/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7fe99b7e-ebe1-40f9-a50c-6d65c3055787", + "id": "bundle--e57d24e9-fb95-409b-855e-31ee1e4b76a3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json b/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json index cbc9a7d4e1..4bcf49bacf 100644 --- a/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json +++ b/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f3447827-2f92-47e5-88d0-f0e0e3f33016", + "id": "bundle--64343f20-282f-44e3-a9cf-bd37fe7eeae1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55.json b/ics-attack/relationship/relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55.json index a474806514..2770cb4f63 100644 --- a/ics-attack/relationship/relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55.json +++ b/ics-attack/relationship/relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0c2227bf-6aca-49db-b8ca-073b454ab2fe", + "id": "bundle--5365301e-8c8f-4d9f-9241-eed760126bf0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd.json b/ics-attack/relationship/relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd.json new file mode 100644 index 0000000000..ea25a61bd0 --- /dev/null +++ b/ics-attack/relationship/relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--78172a24-e09d-44f8-a1bc-2235464bf3e6", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fd3bc308-82cd-49c9-a41e-9b19ce04b3cd", + "created": "2023-10-02T20:23:41.227Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-10-02T20:23:41.227Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "target_ref": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fd856176-396c-4121-9754-35e49bfa5758.json b/ics-attack/relationship/relationship--fd856176-396c-4121-9754-35e49bfa5758.json index 6351087b86..61ecbba8b3 100644 --- a/ics-attack/relationship/relationship--fd856176-396c-4121-9754-35e49bfa5758.json +++ b/ics-attack/relationship/relationship--fd856176-396c-4121-9754-35e49bfa5758.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7648e9f3-c30d-43ce-8bbe-9b81eec8a9a3", + "id": "bundle--551571c1-19cd-4c86-bbea-519cd8a14928", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fdc20415-c9a1-405e-80af-3d297894e8fa.json b/ics-attack/relationship/relationship--fdc20415-c9a1-405e-80af-3d297894e8fa.json new file mode 100644 index 0000000000..e92a7556e4 --- /dev/null +++ b/ics-attack/relationship/relationship--fdc20415-c9a1-405e-80af-3d297894e8fa.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--b6e979e6-3a80-4a94-b1a1-9d7c72775935", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fdc20415-c9a1-405e-80af-3d297894e8fa", + "created": "2023-09-28T19:58:30.849Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:58:30.849Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fe22637e-7187-4990-b24a-5dc851eec736.json b/ics-attack/relationship/relationship--fe22637e-7187-4990-b24a-5dc851eec736.json index 5849677898..cdd87de63e 100644 --- a/ics-attack/relationship/relationship--fe22637e-7187-4990-b24a-5dc851eec736.json +++ b/ics-attack/relationship/relationship--fe22637e-7187-4990-b24a-5dc851eec736.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--18618d5c-4f57-4b66-bb18-ae727d25dd8e", + "id": "bundle--996b697d-b398-4f7b-8fbf-b1b1f6ba8bee", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f.json b/ics-attack/relationship/relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f.json new file mode 100644 index 0000000000..74e4f91f18 --- /dev/null +++ b/ics-attack/relationship/relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--d728a74b-ecc0-4752-a472-c19136a76d9d", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fe22f626-ddf3-4d5e-97d1-058878d7830f", + "created": "2023-09-28T21:10:39.025Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:10:39.025Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926.json b/ics-attack/relationship/relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926.json new file mode 100644 index 0000000000..24bebf8989 --- /dev/null +++ b/ics-attack/relationship/relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--2e7ec38b-d9de-4cdd-90e2-ed34ce8047bb", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--fe265dd7-2c1a-4c75-8aa8-12d0c82c7926", + "created": "2023-09-28T21:26:59.998Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:26:59.998Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb.json b/ics-attack/relationship/relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb.json new file mode 100644 index 0000000000..34b2ae67ad --- /dev/null +++ b/ics-attack/relationship/relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--439a2c53-a37a-44cb-96f7-9500e8fcde6e", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ff021e27-63be-41f4-bc4d-2ce75d8a3ecb", + "created": "2023-09-28T19:56:26.241Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T19:56:26.241Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "target_ref": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ff107632-751b-4efb-86bd-af670b48d35d.json b/ics-attack/relationship/relationship--ff107632-751b-4efb-86bd-af670b48d35d.json new file mode 100644 index 0000000000..753e89159c --- /dev/null +++ b/ics-attack/relationship/relationship--ff107632-751b-4efb-86bd-af670b48d35d.json @@ -0,0 +1,26 @@ +{ + "type": "bundle", + "id": "bundle--e122aff9-e427-40cb-b9a3-56aaf1d6bbba", + "spec_version": "2.0", + "objects": [ + { + "type": "relationship", + "id": "relationship--ff107632-751b-4efb-86bd-af670b48d35d", + "created": "2023-09-28T21:21:30.387Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2023-09-28T21:21:30.387Z", + "description": "", + "relationship_type": "targets", + "source_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "target_ref": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "3.2.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json b/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json index be3286ed51..03d476affd 100644 --- a/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json +++ b/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8f473458-4475-4ce2-a345-8b3839b5bba5", + "id": "bundle--4b04489a-0549-4033-91a0-4c28bf5dc49a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json b/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json index befda62f01..74e321dd10 100644 --- a/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json +++ b/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dfb1013c-0f53-4ca3-b393-1795aed32ea1", + "id": "bundle--1b9b96ce-bb6c-4bee-b1cf-d704aaa9d894", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945.json b/ics-attack/x-mitre-asset/x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945.json new file mode 100644 index 0000000000..9fa8c300ef --- /dev/null +++ b/ics-attack/x-mitre-asset/x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945.json @@ -0,0 +1,63 @@ +{ + "type": "bundle", + "id": "bundle--915b9e0d-cade-4e30-816c-c38440a8dadf", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-10-04T18:07:59.333Z", + "name": "Virtual Private Network (VPN) Server", + "description": "A VPN server is a device that is used to establish a secure network tunnel between itself and other remote VPN devices, including field VPNs. VPN servers can be used to establish a secure connection with a single remote device, or to securely bridge all traffic between two separate networks together by encapsulating all data between those networks. VPN servers typically support remote network services that are used by field VPNs to initiate the establishment of the secure VPN tunnel between the field device and server.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Virtual Private Network (VPN) terminator", + "related_asset_sectors": [ + "General" + ], + "description": "A VPN terminator is a device performs the role of either a VPN client or server to support the establishment of VPN connection. (Citation: IEC February 2019)" + }, + { + "name": "Field VPN", + "related_asset_sectors": [ + "General" + ], + "description": "Field VPN are typically deployed at remote outstations and are used to create secure connections to VPN servers within data/control center environments. " + } + ], + "x_mitre_platforms": [ + "Windows", + "Linux", + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--0804f037-a3b9-4715-98e1-9f73d19d6945", + "created": "2023-09-28T15:13:07.950Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0011", + "external_id": "A0011" + }, + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787.json b/ics-attack/x-mitre-asset/x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787.json new file mode 100644 index 0000000000..4cd0b5d747 --- /dev/null +++ b/ics-attack/x-mitre-asset/x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787.json @@ -0,0 +1,56 @@ +{ + "type": "bundle", + "id": "bundle--4ac9684f-d77b-4ff7-a512-20af3f3787a6", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-10-04T18:03:06.811Z", + "name": "Jump Host", + "description": "Jump hosts are devices used to support remote management sessions into ICS networks or devices. The system is used to access the ICS environment securely from external networks, such as the corporate network. The user must first remote into the jump host before they can access ICS devices. The jump host may be a customized Windows server using common remote access protocols (e.g., RDP) or a dedicated access management device. The jump host typically performs various security functions to ensure the authenticity of remote sessions, including authentication, enforcing access controls/permissions, and auditing all access attempts. ", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Intermediate System", + "related_asset_sectors": [ + "Electric" + ], + "description": "A Cyber Asset or collection of Cyber Assets performing access control to restrict Interactive Remote Access to only authorized users.(Citation: North American Electric Reliability Corporation June 2021)" + } + ], + "x_mitre_platforms": [ + "Windows", + "Linux", + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--14932ed5-1098-4cc1-9f57-159ab7366787", + "created": "2023-09-28T17:52:53.206Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0012", + "external_id": "A0012" + }, + { + "source_name": "North American Electric Reliability Corporation June 2021", + "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ", + "url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32.json b/ics-attack/x-mitre-asset/x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32.json new file mode 100644 index 0000000000..bae44a420d --- /dev/null +++ b/ics-attack/x-mitre-asset/x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32.json @@ -0,0 +1,44 @@ +{ + "type": "bundle", + "id": "bundle--a64d6dbe-1e32-4350-847b-8505f94bb3f1", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-10-04T18:05:43.237Z", + "name": "Remote Terminal Unit (RTU)", + "description": "A Remote Terminal Unit (RTU) is a device that typically resides between field devices (e.g., PLCs, IEDs) and control/SCADA servers and supports various communication interfacing and data aggregation functions. RTUs are typically responsible for forwarding commands from the control server and the collection of telemetry, events, and alerts from the field devices. An RTU can be implemented as a dedicated embedded device, as software platform that runs on a hardened/ruggedized computer, or using a custom application program on a PLC.", + "x_mitre_sectors": [ + "Electric", + "Water and Wastewater", + "General" + ], + "x_mitre_platforms": [ + "Embedded", + "Windows", + "Linux" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--1769c499-55e5-462f-bab2-c39b8cd5ae32", + "created": "2023-09-28T14:44:54.756Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0004", + "external_id": "A0004" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe.json b/ics-attack/x-mitre-asset/x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe.json new file mode 100644 index 0000000000..6fdabdfc50 --- /dev/null +++ b/ics-attack/x-mitre-asset/x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe.json @@ -0,0 +1,58 @@ +{ + "type": "bundle", + "id": "bundle--9135297a-c51c-4305-9e24-5f2d82afc34b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-10-04T19:26:49.788Z", + "name": "Field I/O", + "description": "Field I/O are devices that communicate with a controller or data aggregator to either send input data or receive output data. Input data may include readings about a given environment/device state from sensors, while output data may include data sent back to actuators for them to either undertake actions or change parameter values.(Citation: Guidance - NIST SP800-82) These devices are frequently embedded devices running on lightweight embedded operating systems or RTOSes. ", + "x_mitre_related_assets": [ + { + "name": "Smart Sensors", + "related_asset_sectors": [ + "General" + ], + "description": "*A device that procures a voltage or current output that is representative of some physical property being measured (e.g., speed, temperature, flow).* (Citation: Guidance - NIST SP800-82) Smart sensors take this functionality and add on on-device processing and network communication." + }, + { + "name": "Variable Frequency Drive (VFD)", + "related_asset_sectors": [ + "General" + ], + "description": "*A type of drive that controls the speed, but not the precise position, of a non-servo, AC motor by varying the frequency of the electricity going to that motor. VFDs are typically used for applications where speed and power are important, but precise positioning is not.* (Citation: Guidance - NIST SP800-82) VFDs can be network connected." + } + ], + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--2b676abd-8263-49ea-81a4-78a7e1f776fe", + "created": "2023-09-28T17:57:22.946Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0013", + "external_id": "A0013" + }, + { + "source_name": "Guidance - NIST SP800-82", + "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64.json b/ics-attack/x-mitre-asset/x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64.json new file mode 100644 index 0000000000..90189a6e8a --- /dev/null +++ b/ics-attack/x-mitre-asset/x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64.json @@ -0,0 +1,55 @@ +{ + "type": "bundle", + "id": "bundle--698831a3-396f-4365-8405-9fb1850a9001", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-10-04T17:59:11.489Z", + "name": "Human-Machine Interface (HMI)", + "description": "Human-Machine Interfaces (HMIs) are systems used by an operator to monitor the real-time status of an operational process and to perform necessary control functions, including the adjustment of device parameters. An HMI can take various forms, including a dedicated screen or control panel integrated with a specific device/controller, or a customizable software GUI application running on a standard operating system (e.g., MS Windows) that interfaces with a control/SCADA server. The HMI is critical to ensuring operators have sufficient visibility and control over the operational process.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Operator Workstation (OWS)", + "related_asset_sectors": [ + "General" + ], + "description": "An Operator Workstation (OWS) or Console is a system or device used by an operator to interface with a control system, including to access/visualizes key information or parameters about the operational process and initiate control actions. This typically consists of specialized OWS software installed on a Workstation platform. (Citation: IEC February 2019)" + } + ], + "x_mitre_platforms": [ + "Windows", + "Linux" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--3a95f7e4-4877-4967-b2e8-e287976c3e64", + "created": "2023-09-28T14:38:54.407Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0002", + "external_id": "A0002" + }, + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4.json b/ics-attack/x-mitre-asset/x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4.json new file mode 100644 index 0000000000..2ef1b42e94 --- /dev/null +++ b/ics-attack/x-mitre-asset/x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--a1cb7924-de5b-43dd-b858-3213c06b6cf5", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-10-04T18:08:33.386Z", + "name": "Data Gateway", + "description": "Data Gateway is a device that supports the communication and exchange of data between different systems, networks, or protocols within the ICS. Different types of data gateways are used to perform various functions, including:\n\n * Protocol Translation: Enable communication to devices that support different or incompatible protocols by translating information from one protocol to another. \n * Media Converter: Convert data across different Layer 1 and 2 network protocols / mediums, for example, converting from Serial to Ethernet. \n * Data Aggregation: Collect and combine data from different devices into one consistent format and protocol interface. \n\nData gateways are often critical to the forwarding/transmission of critical control or monitoring data within the ICS. Further, these devices often have remote various network services that are used to communicate across different zones or networks. \n\nThese assets may focus on a single function listed below or combinations of these functions to best fit the industry use-case. \n", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Data Acquisition Server (DAS)", + "related_asset_sectors": [ + "General" + ], + "description": "A Data Acquisition Server (DAS) a system or software platform that is used to collect, aggregate, and store data/telemetry from field devices using various SCADA/Automation protocols. " + }, + { + "name": "Serial to Ethernet Gateway", + "related_asset_sectors": [ + "Electric", + "General" + ], + "description": "A Serial to Ethernet gateway is a device that is used to connect field devices that only support serial-based communication (e.g., RS-232) with more modern Ethernet-based networks. " + } + ], + "x_mitre_platforms": [ + "Windows", + "Linux", + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--68388d4f-8138-420b-be2b-5a7dfe9ff6b4", + "created": "2023-09-28T15:01:48.509Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0009", + "external_id": "A0009" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32.json b/ics-attack/x-mitre-asset/x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32.json new file mode 100644 index 0000000000..95966c9f6e --- /dev/null +++ b/ics-attack/x-mitre-asset/x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32.json @@ -0,0 +1,64 @@ +{ + "type": "bundle", + "id": "bundle--6085a42b-7a60-4979-8171-26e763bfc34b", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-10-16T18:49:08.504Z", + "name": "Safety Controller", + "description": "Safety controllers are typically a type of field device used to perform the safety critical function. Safety controllers often support the deployment of custom programs/logic, similar to a PLC, but can also be tailored for sector specific functions/applications. The safety controllers typically utilize redundant hardware and processors to ensure they operate reliably if a component fails.", + "x_mitre_related_assets": [ + { + "name": "Safety Instrumented System (SIS) controller", + "related_asset_sectors": [], + "description": "SIS controllers are used to \u201ctake the process to a safe state when predetermined conditions are violated\u201d (Citation: Guidance - NIST SP800-82) through the reading of sensor data and interaction with digital/physical control surfaces. These devices are oftentimes located on programmable embedded devices running specialized RTOS or other embedded operating systems. " + }, + { + "name": "Emergency Shutdown Systems (ESD) controller", + "related_asset_sectors": [], + "description": "Emergency Shutdown System controllers are used to read sensor values and interact with control surfaces to return the system \u201cto a safe static condition so that any remedial action can be taken\u201d. (Citation: SIGTTO ESD 2021)" + }, + { + "name": "Burner Management Systems (BMS) controller", + "related_asset_sectors": [], + "description": "Burner Management System controllers are used to interact with sensors and control surfaces to maintain safe operating conditions for the burner. These can include safely starting-up and managing the main flame, controlling and monitoring the burning conditions, and safely initiating planned or unplanned shutdown sequences." + } + ], + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--69d1b1ef-e918-4cfd-9a98-29debd04cb32", + "created": "2023-09-28T15:10:05.534Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0010", + "external_id": "A0010" + }, + { + "source_name": "Guidance - NIST SP800-82", + "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "SIGTTO ESD 2021", + "description": "Society of International Gas Tanker & Terminal Operators Ltd. (2021). ESD Systems: Recommendations for Emergency Shutdown and Related Safety Systems (Second Edition). Retrieved September 28, 2023.", + "url": "https://sigtto.org/media/3457/sigtto-2021-esd-systems.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04.json b/ics-attack/x-mitre-asset/x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04.json new file mode 100644 index 0000000000..84c9f46b00 --- /dev/null +++ b/ics-attack/x-mitre-asset/x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04.json @@ -0,0 +1,54 @@ +{ + "type": "bundle", + "id": "bundle--bdd1d498-d966-4f7c-8869-0a679b120010", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-10-04T18:01:02.506Z", + "name": "Intelligent Electronic Device (IED)", + "description": "An Intelligent Electronic Device (IED) is a type of specialized field device that is designed to perform specific operational functions, frequently for protection, monitoring, or control within the electric sector. IEDs are typically used to both acquire telemetry and execute tailored control algorithms/actions based on customizable parameters/settings. An IED is usually implemented as a dedicated embedded device and supports various network automation protocols to communicate with RTUs and Control Servers.", + "x_mitre_sectors": [ + "Electric" + ], + "x_mitre_related_assets": [ + { + "name": "Protection Relay", + "related_asset_sectors": [ + "Electric" + ], + "description": "A protection relay is a type of IED used within the electric sector to monitor for faults or problematic operating conditions on power lines, busses, or transformers. While traditionally protection relays were electromechanical or electromagnetic devices, modern relays utilize microprocessors, embedded operating system, and SCADA communications." + }, + { + "name": "Field Device / Controller", + "related_asset_sectors": [], + "description": "IEDs may be referred to as Field Controllers or Field Devices as a general function name. " + } + ], + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--75f810ad-b678-4c57-b93b-fdc79bba0c04", + "created": "2023-09-28T14:46:42.566Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0005", + "external_id": "A0005" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d.json b/ics-attack/x-mitre-asset/x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d.json new file mode 100644 index 0000000000..f74687937b --- /dev/null +++ b/ics-attack/x-mitre-asset/x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d.json @@ -0,0 +1,41 @@ +{ + "type": "bundle", + "id": "bundle--0fcc07a5-74c1-44bb-8490-8883ee3729c1", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-10-04T17:46:20.340Z", + "name": "Application Server", + "description": "Application servers are used across many different sectors to host various diverse software applications necessary to supporting the ICS. Example functions can include data analytics and reporting, alarm management, and the management/coordination of different control servers. The application server typically runs on a modern server operating system (e.g., MS Windows Server).", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_platforms": [ + "Windows", + "Linux" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--973bc51e-c41e-4cec-ac03-9389c71f3d0d", + "created": "2023-09-28T14:58:00.982Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0008", + "external_id": "A0008" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990.json b/ics-attack/x-mitre-asset/x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990.json new file mode 100644 index 0000000000..b3c904dfbf --- /dev/null +++ b/ics-attack/x-mitre-asset/x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990.json @@ -0,0 +1,59 @@ +{ + "type": "bundle", + "id": "bundle--ed32937b-19e7-4051-85b5-6c81ba710136", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-10-04T18:09:21.296Z", + "name": "Programmable Logic Controller (PLC)", + "description": "A Programmable Logic Controller (PLC) is an embedded programmable control device. PLCs typically utilize a modular architecture with separate modules used to support its processing capabilities, communication mediums, and I/O interfaces. PLCs allow for the deployment of customized programs/logic to control or monitor an operational process. This logic is defined using industry specific programming languages, such as IEC 61131 (Citation: IEC February 2013), which define the set of tasks and program organizational units (POUs) included in the device\u2019s programs. PLCs also typically have distinct operating modes (e.g., Remote, Run, Program, Stop) which are used to determine when the device can be programmed or whether it should execute the custom logic.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Process Automation Controller (PAC)", + "related_asset_sectors": [ + "General" + ], + "description": "Process Automation Controllers (PAC) share much of the same functionality as a PLC. PACs may include advanced features for process control, motion control, drive control, and vision applications. PACs may include additional features such as options to program in traditional programming languages such as C and C++ in addition to 61131 programming languages in order to support these more advanced controls. " + }, + { + "name": "Field Device / Controller", + "related_asset_sectors": [], + "description": "Programmable Logic Controller (PLC) may be referred to as Field Controllers or Field Devices as a general function name. " + } + ], + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--986c455b-0f43-42b6-8360-33ac48bd9990", + "created": "2023-09-28T14:43:05.105Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0003", + "external_id": "A0003" + }, + { + "source_name": "IEC February 2013", + "description": "IEC 2013, February 20 IEC 61131-3:2013 Programmable controllers - Part 3: Programming languages Retrieved. 2019/10/22 ", + "url": "https://webstore.iec.ch/publication/4552" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5.json b/ics-attack/x-mitre-asset/x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5.json new file mode 100644 index 0000000000..a51016c2e8 --- /dev/null +++ b/ics-attack/x-mitre-asset/x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5.json @@ -0,0 +1,45 @@ +{ + "type": "bundle", + "id": "bundle--a631db90-3a1b-4ba6-90a8-8b7bbae23c56", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-10-16T18:49:26.400Z", + "name": "Routers", + "description": "A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that inter-network. The most common form of router operates on IP packets.(Citation: IETF RFC4949 2007)", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_platforms": [ + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--dcb1d1c1-b195-45bf-b4cf-5b98c5b859a5", + "created": "2023-09-29T18:55:09.319Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0014", + "external_id": "A0014" + }, + { + "source_name": "IETF RFC4949 2007", + "description": "Internet Engineering Task Force. (2007, August). Internet Security Glossary, Version 2. Retrieved September 29, 2023.", + "url": "https://www.ietf.org/rfc/rfc4949.txt" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499.json b/ics-attack/x-mitre-asset/x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499.json new file mode 100644 index 0000000000..a116e34b97 --- /dev/null +++ b/ics-attack/x-mitre-asset/x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499.json @@ -0,0 +1,42 @@ +{ + "type": "bundle", + "id": "bundle--206b70c4-8a18-494c-9343-22a8fcdda2b9", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-10-04T17:57:56.558Z", + "name": "Data Historian", + "description": "Data historians, or historian, are systems used to collect and store data, including telemetry, events, alerts, and alarms about the operational process and supporting devices. The historian typically utilizes a database to store this data, and commonly provide tools and interfaces to support the analysis of the data. Data historians are often used to support various engineering or business analysis functions and therefore commonly needs access from the corporate network. Data historians often work in a hierarchical paradigm where lower/site level historians collect and store data which is then aggregated into a site/plant level historian. Therefore, data historians often have remote services that can be accessed externally from the ICS network.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_platforms": [ + "Windows", + "Linux", + "Embedded" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--e2c3336a-dd93-44d6-8246-f93cf132c499", + "created": "2023-09-28T14:48:36.305Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0006", + "external_id": "A0006" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3.json b/ics-attack/x-mitre-asset/x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3.json new file mode 100644 index 0000000000..16905a345a --- /dev/null +++ b/ics-attack/x-mitre-asset/x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3.json @@ -0,0 +1,78 @@ +{ + "type": "bundle", + "id": "bundle--69a36167-1c9d-4950-b8ea-97c77c66e010", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-10-04T18:09:59.538Z", + "name": "Control Server", + "description": "Control servers are typically a software platform that runs on a modern server operating system (e.g., MS Windows Server). The server typically uses one or more automation protocols (e.g., Modbus, DNP3) to communicate with the various low-level control devices such as Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs). The control server also usually provides an interface/network service to connect with an HMI.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Supervisory Control And Data Acquisition (SCADA) Server", + "related_asset_sectors": [ + "General", + "Electric", + "Water and Wastewater" + ], + "description": "A SCADA server is used to perform monitoring and control across a distributed environment. It typically has an associated HMI to provide information to a human operator and heavily depends on the human operator to initiate control actions." + }, + { + "name": "Master Terminal Unit (MTU)", + "related_asset_sectors": [ + "General" + ], + "description": "*A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as remote terminal units (RTUs) and programmable logic controllers (PLCs), over an ICS network* (Citation: Guidance - NIST SP800-82)" + }, + { + "name": "Supervisory controller", + "related_asset_sectors": [ + "General" + ], + "description": "*A controller that also acts as a server that hosts the control software that communicates with lower-level control devices, such as remote terminal units (RTUs) and programmable logic controllers (PLCs), over an ICS network* (Citation: Guidance - NIST SP800-82)" + }, + { + "name": "Distribution/Energy Management System (DMS/EMS)", + "related_asset_sectors": [ + "Electric" + ], + "description": "A DMS and EMS are electric sector specific devices that are commonly used to manage distribution and transmission-level electrical grids. These platforms typically integrate a SCADA server and HMI with domain-specific data analysis applications, such as state-estimation and contingency analysis (EMS), or voltage-var control or fault restoration (DMS). " + } + ], + "x_mitre_platforms": [ + "Windows", + "Linux" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--ecb81a8b-022e-4529-a404-55cffca7d3a3", + "created": "2023-09-28T14:55:39.339Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0007", + "external_id": "A0007" + }, + { + "source_name": "Guidance - NIST SP800-82", + "description": "Keith Stouffer. (2015, May). Guide to Industrial Control Systems (ICS) Security. Retrieved March 28, 2018.", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-asset/x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41.json b/ics-attack/x-mitre-asset/x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41.json new file mode 100644 index 0000000000..583ae28f96 --- /dev/null +++ b/ics-attack/x-mitre-asset/x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41.json @@ -0,0 +1,61 @@ +{ + "type": "bundle", + "id": "bundle--6fd817b0-9a62-4534-897c-26e731315b76", + "spec_version": "2.0", + "objects": [ + { + "modified": "2023-09-28T14:23:52.358Z", + "name": "Workstation", + "description": "Workstations are devices used by human operators or engineers to perform various configuration, programming, maintenance, diagnostic, or operational tasks. Workstations typically utilize standard desktop or laptop hardware and operating systems (e.g., MS Windows), but run dedicated control system applications or diagnostic/management software to support interfacing with the control servers or field devices. Some workstations have a fixed location within the network architecture, while others are transient devices that are directly connected to various field devices to support local management activities.", + "x_mitre_sectors": [ + "General" + ], + "x_mitre_related_assets": [ + { + "name": "Transient Cyber Asset (TCA)", + "related_asset_sectors": [ + "Electric" + ], + "description": "A Transient Cyber Asset (TCA)(Citation: North American Electric Reliability Corporation June 2021) is a mobile workstation that is used to support management functions across multiple different networks, rather than being dedicated to any specific device/network. The TCA is often used to directly manage ICS environments that do not have any dedicated support for external remote access. Therefore, the TCA provides a mechanism for connectivity and file transfer to many networks/devices, even if they are segmented or \u201cair gapped\u201d from other networks. " + }, + { + "name": "Engineering Workstation (EWS)", + "related_asset_sectors": [ + "General" + ], + "description": "An Engineering Workstation (EWS) is used to perform various maintenance, configuration, or diagnostics functions for a control system. The EWS will likely require dedicated application software to interface with various devices (e.g., RTUs, PLCs), and may be used to transfer data or files between the control system devices and other networks. " + } + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-asset", + "id": "x-mitre-asset--f1315d02-9118-4e3b-8cdf-4c2d3f77ce41", + "created": "2023-09-28T14:22:49.837Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/assets/A0001", + "external_id": "A0001" + }, + { + "source_name": "North American Electric Reliability Corporation June 2021", + "description": "North American Electric Reliability Corporation 2021, June 28 Glossary of Terms Used in NERC Reliability Standards Retrieved. 2021/10/11 ", + "url": "https://www.nerc.com/pa/Stand/Glossary%20of%20Terms/Glossary_of_Terms.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "3.2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + } + ] +} \ No newline at end of file diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json index 11f7d88888..6d0c07dd56 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3f98e79d-b060-4d21-9939-fa3e5f82ec21", + "id": "bundle--0b4fafcf-805b-43c5-8de7-521103176905", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json index d83ca44923..12326ab449 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a989723d-59c1-4015-b9bf-c3ea5814a323", + "id": "bundle--5e02abf5-31b8-4266-bf9e-2db5d1333ce9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json index 3a7368adfa..7cd90aa3fe 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ee065291-1eb2-435f-8476-778e909142e8", + "id": "bundle--13fd7288-ec6b-42f6-a29a-e200919f02b6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json index 2a7f9ed54b..b4a9ea23e3 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--23cd6758-091f-430b-aeb8-c9b3e0759bf0", + "id": "bundle--effd5688-a1f4-455a-a681-be0239239091", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json index 4f15b59d38..7f05f239e9 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3bad91a0-93d7-444f-b0a7-226715e75e6b", + "id": "bundle--18b29034-2aa2-49a4-a06d-ffc7c493adb0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json index 77005b8efb..a19ca16eca 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--78e62ec6-1854-47e3-aa4d-23001b840577", + "id": "bundle--be5dffb5-1e27-4c19-9794-e8723c20f26a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json index fdb3c98004..4da6e9c2c7 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0015a87f-b2ff-421b-8735-42d4b5aca1a1", + "id": "bundle--d9fba609-f770-470d-8a5f-10880de85979", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json index fcc48ef1c7..9acc25c3fc 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--76f75b51-932f-4822-8ae4-eec1b8804244", + "id": "bundle--b2d46b3a-d8fb-4368-8b1f-12fb246476d8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json index 4e850a063e..9f7c1a4d1a 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ec150350-edbf-45fd-bf05-d620c23bb4cb", + "id": "bundle--c6f427d7-8b8f-4c3c-9c08-4b0a275c98af", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json index 67fa711c06..3bec85e594 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3e858804-fcca-41bd-801b-46615d5c67c4", + "id": "bundle--d996cfc7-7b04-48f3-89bd-0277fb84c1fa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json index 0a6a625355..1b24c226d6 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3bb7b46b-4258-4f61-91b0-b9ee6557cffc", + "id": "bundle--5920eaaf-f304-474e-b1a7-6d531dd3e41b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json index d4ca0961a7..5f6eb1540c 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--01c6673f-cb14-4689-aacb-b79116800ad5", + "id": "bundle--e2b14271-55ff-49fa-90eb-4ef88e90a67b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json index 2f9f49d3df..7d6b448e7d 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bae4699c-7ced-46c4-be22-e59be638ce2a", + "id": "bundle--c4772f56-c430-47af-bb7c-b010a2c628db", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json index bd8d350217..1f2bf9a04f 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--681899f0-b690-45c7-ad90-3e70bfdd6dcc", + "id": "bundle--3e358dca-1699-4934-bbe2-3d68c8a5ae8e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json index 44213be1da..25676c0cc6 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--30e87ac0-8447-4419-977c-d914b763fe68", + "id": "bundle--7a178646-910b-4167-aa81-0a6ee5886a09", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json index 2b60fa66a0..feb9ef77f3 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e6b6cf70-631d-47a6-8d54-6ce2b67dbabd", + "id": "bundle--52d29217-c7a4-4ebd-8ed4-a83e97e1d976", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json index eb50b60724..74e93bf73d 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--16792041-3e10-4c59-aa61-6057d3af815e", + "id": "bundle--ddc3f023-93bd-4f1d-8b35-b6067a7102d9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json index 6e0fa14303..9b171abccc 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9475f9ad-d073-4400-baab-34750a91370a", + "id": "bundle--abd6eaac-c0f6-4e00-80dd-36da9222af6f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json index 4ac5d14c46..cd48e7d8d8 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c7e7e616-1015-4c2e-89dd-26691ac3c34d", + "id": "bundle--e1f3de4e-e366-41c3-bca1-baef91bae469", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json index d121897c8a..8a6b7a1671 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--312837cb-6220-4c38-b85c-f9653737e95b", + "id": "bundle--f904db52-5fa6-4f5c-a7a3-98f1f3e405e5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json index d82580c285..8da05c5e49 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b87fec8e-8659-4232-a024-ad6644d19029", + "id": "bundle--7788b008-b3be-43f7-9de0-6a48d9f7c234", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json index 956c6ccc51..9ee4dd074b 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--461e74ee-e640-4d36-866d-6da18fcc9dac", + "id": "bundle--f2c4cdb7-8cad-42d0-b46d-645de26774ea", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json index a42284b8d1..75d9576858 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8dbc0c7e-036d-49b0-94f5-86bede3dfbf1", + "id": "bundle--2146b77f-b0ea-4be5-b3f0-c9b3a3e72eab", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json index c82546cc31..f72b52156c 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b53a0a0c-26fb-4713-98cd-f14e5f94d834", + "id": "bundle--b67bd71f-3d39-4fdc-8e3f-0b7ea4b37da9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json index 4feee85354..ecc7ea4cad 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6c9766e6-1ad8-4cfb-a404-b25a6ec5318f", + "id": "bundle--d64835af-432a-4a7b-9502-36497361837e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json index d3f18105a9..2ab74653b5 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fa235724-375c-4866-89c6-2b112520a2c1", + "id": "bundle--eb4fa6ed-9f83-45c7-afd0-2bfcfc7533d8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json index 4d9cb84d6c..fc697ab0f3 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e8be8763-27b0-40cd-98d5-1f763d1b1794", + "id": "bundle--29064072-a879-4cef-aa63-cd4e6f075e68", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json index aec5e21ecc..b6bd673db8 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b217c357-1ac8-4b29-b763-6849c45c14df", + "id": "bundle--03a0668a-53f8-4a36-81d9-2793c276755a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json index 82e6600b3a..fbab3e0cfa 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e69f9550-ccad-46c6-857f-b94113d6505d", + "id": "bundle--89b7e778-7028-48aa-b61e-4a67c1e9178c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json index 10bedc9ea9..c8c1ed6f80 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d6cb08d1-80a5-4d57-a890-7dc63bc964a3", + "id": "bundle--fd70eec1-724b-41d1-ab69-34827e089747", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json index f2b40fda06..72377d9ea9 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4d557e09-1748-4ee2-bfdc-69fdd62de8eb", + "id": "bundle--40a830eb-6447-488e-ba81-abd3cbd045ce", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json index 9822195b05..d7f840a1e8 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e6916262-5bf8-4553-9875-5efefa565d4c", + "id": "bundle--5c1aa9a7-bae7-47a9-95ae-ff5e6f77749f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json index 232ebed7f6..548fcb7a97 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8ba7cfa7-6826-4b63-82d4-a5a082608cd2", + "id": "bundle--9f6e0fb7-8cb2-4ae3-8fba-cde4918347a8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json index 2ba2ab15b1..c15df70649 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ec8b6382-252c-4f75-9dbc-0969c4b851cd", + "id": "bundle--7bb2a5dd-e55c-47d7-b10f-700c046ed051", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json index 95d7475244..3bd964c196 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cdcef489-bdad-49d7-98bb-dcfb8019b344", + "id": "bundle--8bf48fe2-5efe-42e1-8dbe-b494facbcd7c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json index 7188838385..044fa71938 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a6862587-b2d5-4a5f-b787-4f2b460fbc08", + "id": "bundle--4be11d71-721f-4065-adeb-4894c67230ea", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json index efacd6350f..23572c8c29 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--13fece6d-e3b4-4467-af6f-11db18f5308d", + "id": "bundle--481622b9-06d9-4ece-8238-d9d3c00df5ea", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json index c2a5bebc0d..d8fe95302d 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5e486f5f-2ecf-4b99-8eea-e85323751459", + "id": "bundle--a298719b-88a0-4621-831c-8c314661f19a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json index 0811d7c1b7..517ce03697 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--965ec4a7-fedc-43b2-8819-a6b84f3aa5d2", + "id": "bundle--54b341ac-74b9-401c-9ffe-a7b408a73fc6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json index 60b2b7913a..f54d72c7cb 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7031653e-4ffd-4627-88a4-398dc885b3aa", + "id": "bundle--5452dd0f-332c-492f-9ce7-2ddb8d71afa3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json index 1281318398..fb90c89c8c 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a0bf7bb6-4c80-44f6-ab65-088d62ba6fd2", + "id": "bundle--3c38a811-40c8-4274-98c7-bab11a079128", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json index 9ad8955c0b..fd1f747e14 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a8da672f-b2bc-4c43-aa56-fbcc139d6970", + "id": "bundle--7421d1bc-098b-486a-91bf-7f74325dd1d3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json index 379cb06874..36c7257eb7 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c4ffd5ce-2749-4629-8aa3-4f2e519b4894", + "id": "bundle--3d6967d1-518c-460e-a672-e1026dd1eb5e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json index a5dad376d2..fff44fddb1 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--def7474c-80e7-4d88-bde9-bbbe393a65ec", + "id": "bundle--a80d3ee7-77e3-4c6e-a3a8-9047bd0ccf0e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json index 42598d9b1c..24811cd76e 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f497553d-652a-460e-bd3e-73e50531d6b0", + "id": "bundle--e8713ee7-11f1-4a24-810f-d2482a89ff75", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json index 991c501465..abcfe54862 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--843d91ca-7c7c-4c38-ba65-a8c30760953e", + "id": "bundle--868742df-2d80-4790-a39a-ba9bab08ac9f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json index 9543dd4dc7..2390900e84 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1051a64e-571b-41cd-9469-ed258ead8d1a", + "id": "bundle--bcaccf28-3192-4503-9c98-f8c232433bbd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json index 1e0d731d0f..1a41338ac5 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--328f0122-e87c-46b8-8346-5f56ca01a1dc", + "id": "bundle--da0ae5aa-d89c-47a6-86d9-42fce5d2b538", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json index 705c719c58..87c17adfda 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aea1c361-00c0-4ac9-8f01-2fe5084dc883", + "id": "bundle--a57d8cf9-85f2-448c-a2a0-0c4b0a04b6b5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json index 471cb57dd0..b4e57638a5 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1243dda8-213f-4f76-bf7d-18c978655739", + "id": "bundle--57887a7d-c719-40cc-abeb-539739388678", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json index 266f09269b..54729c47e2 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7fd672de-717d-425e-894c-d7482e0324f2", + "id": "bundle--54471c58-c0de-48f5-9e57-faa72bdbf725", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json index 233d414fcf..de59d3f9f0 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6b85be98-7ef3-4023-8bcc-0a3a305a1d04", + "id": "bundle--d1c698bd-6668-4bbe-9498-0dd56b196225", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json index eed3022879..5f0f03b1fc 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f02f25b8-af6d-4504-885b-6ce250253d70", + "id": "bundle--ece89c70-4ccf-4321-a772-843e58925f63", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json b/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json index 83fc689222..f37664bd22 100644 --- a/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json +++ b/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--43dd6c40-9639-4d4b-9073-a303920f2939", + "id": "bundle--b6310aac-0268-4b3a-88ae-baa87df17da9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json index 67ba79adcc..f364d3b8c0 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--00cb1983-fde3-4f67-b940-728391fd147c", + "id": "bundle--4aa47634-313c-48ef-82ea-c645a56c447b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json index fad6920df2..59e1398a63 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--66fa705a-be3f-4a82-a4c8-67ed73e9305d", + "id": "bundle--b1b6341b-766c-442c-bcb6-0c11405c5aa5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json index 311a6f3c51..aa4d88ecae 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eec92533-5458-4714-ada6-c40f0fc7b459", + "id": "bundle--d35c5f1a-aaca-49f4-987b-058edaa6e3d2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json index 972e96fa25..c72f9eea55 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dde05676-f9ba-452f-8bef-20b83bd49267", + "id": "bundle--d6878715-576d-4fd6-ac7b-4a1a880583ed", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json index a24910c84f..95a6f627ad 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1be20e95-6785-4829-a519-8883a923217e", + "id": "bundle--e39e0fbc-5912-4b26-bf44-357b78e5d096", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json index ca2acca15c..008feecc3f 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b1549907-b685-4a04-9f14-cc7ddfcaf1bf", + "id": "bundle--92695ae9-793d-422c-a361-27965535b94a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json index 2f95bd08c6..8fb00d8f84 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--263ad2ee-d011-486d-b84a-e02c2c6b8eb5", + "id": "bundle--e71b1a27-7dfb-483f-9e26-2839ca6004b3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json index 9f6c125393..15e88cf3db 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a24543db-962c-4997-be6a-6679c680b570", + "id": "bundle--af4fc905-f0cf-458f-b0d8-fbba4b7109ca", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json index 5233138e03..134fcb6683 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7ed50e9f-c82a-483e-8ed8-8523e9972a03", + "id": "bundle--319686c3-ba64-4587-906a-f8d95296eac6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json index e0f2593ecd..6bf4c1d9a7 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a40eb987-7bd7-4e40-bcfa-ef30019cd120", + "id": "bundle--fe0b89a1-556a-406f-a1bb-42eb491dc853", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json index 2fbafa3713..69d2f4a711 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--da5ec217-893f-4e0c-a8eb-8090c27c4ba1", + "id": "bundle--e0a35ed7-111e-4f63-a085-a4aa619f45e6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json index 73a720358a..aa51379073 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fbddcd5c-6d30-4496-b029-7ae4ca24783c", + "id": "bundle--d95cc0dc-5e87-47f9-b246-b0fa517c4ea9", "spec_version": "2.0", "objects": [ {